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A Broader View 

Also in the Management section: You can 

learn technology from a book or from formal 
education, but veteran IT professionals say 

user group membership can offer bigger payback 
for your organization and your career. Page 29 
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Lurking Liabilities in Security Law 
In the Management section: Some laws and 
regulations get all the attention, but others can 
have equally disastrous consequences that you 


might not be aware of. Here are five security- 
related issues to watch out for. Page 31 
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6 Solaris 10 has been down- 
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19 Biometrics: Back to Busi- 


loaded 1.3 million times, says 
Sun. But it’s unsure how many 
users are actually installing 
the operating system. 


EMC plans to release a mid- 
range Centera array offering 
half the capacity of the high- 
end model at 65% of the cost. 


At Interop, new Cisco devices 
spark a debate over whether 
IT execs or service providers 
are responsible for network 
security. Also, a vendor group 
details a proposed network 
access control standard. 


Gerald Cohen, Informa- 
tion Builders’ CEO, takes 
issue with Bill Gates’ asser- 
tion that the H-1B visa cap 
should be eliminated. 


The 20,000 new H-1B visas 
that Congress approved last 
fall are finally being made 
available this week. 


IBM details plans to integrate 
Ascential’s products with its 
own, and users are optimistic. 


Apple aims for a bigger share 
of the server market with its 
new Tiger OS, but whether it 
can attract new types of users 
is unclear. 


Global Dispatches: An Aus- 


ness. The events of 9/11 shift- 
ed the focus of the biometrics 
market to the public sector, 
but business implementations 
are beginning to have an 
effect on the bottom line. 


22 Q&A: Unconventional Innova- 
tion. Dell CTO Kevin Kettler 
says the computer maker has 
helped shape the direction 
of IT development to make 
sure new technologies are 
better focused on meeting 
customer needs. 


23 Chilling Out With DC Power. 
DC power-delivery systems 
allow server racks to run as 
much as 15% cooler than they 
would with AC systems, and 
the reliability can’t be beat. 


24 Security Manager’s Journal: 
Protecting the Crown Jew- 
els. Mathias Thurman looks 
at options for protecting the 
source code of his company’s 
software products. 
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32 Q&A: The End 
of Corporate IT. 
Love him or loathe 
him, you've got 

to read what 
Nicholas G. Carr 
says about the 


ports that Intel is keeping 
Moore’s Law valid for the 
foreseeable future by develop- 
ing chips with more than one 
processor core. 


Don Tennant admires Infor- 
mation Builders CEO Gerald 
Cohen’s willingness to speak 
his mind. 


Bruce A. Stewart says CEOs’ 
demands for innovation to 
produce growth means custom 
apps are making a comeback. 


Thornton A. May cites re- 
search suggesting that IT 
appears to have fallen off 
the radar screen of next- 
generation business leaders. 


3 Curt A. Monash says most of 


your tech strategy can be de- 
vised by studying Microsoft, 
Oracle and IBM, but there’s 
still much to be learned from 
some smaller vendors. 


5 Bart Perkins warns that if 


your management controls 
grow lax, you’re setting your- 
self up for embarrassment 
and failure. 


Frankly Speaking: Frank 
Hayes thinks IT needs to do 
more to help users protect 
company secrets. 


How Spies Operate 

SECURITY: In an excerpt from his book Spies 
Among Us, Ira Winkler presents the story 
of two Russian hackers who applied their 
skills to steal thousands of credit card num- 
bers and to later extort U.S. companies. 
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IT MANAGEMENT: Health care companies 
should enter into business associate agree- 
ments with their IT vendors to safeguard pa- 
tient data as demanded by HIPAA, says attor- 
ney John A. Gliedman. © QuickLink 54073 
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MACINTOSH: Apple has updated its Power Mac 
G5s, and Computerworld.com’s Ken Mingis 
couldn’t resist the siren song of speed of- 
fered by the top-end model, which sports 
dual 2.7-GHz G5 processors, a faster Super- 


Drive and more storage. @ QuickLink 54140 
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CAREERS: Adjusting to an unfamiliar super- 
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chance for a fresh start, suggests columnist 
Katherine Spencer Lee. @ QuickLink 53868 
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AT DEADLINE 


IBM Plans to Lay 
Off 13,000 Workers 


IBM plans to cut 10,000 to 
13,000 jobs, or up to 4% of its 
workforce, mostly from its Euro- 
pean operations. IBM last month 
reported poor earnings, and the 
restructuring is projected to cut 
costs by up to $500 million 
during the rest of 2005, and by 
$1 billion in 2006. IBM will take 
a $1.3 billion to $1.7 billion pretax 
charge in the second quarter. 


Siebel to Add SOA, 
Component System 


Siebel Systems inc. has detailed 
plans to roll out a new branch of 
CRM offerings later this year as 
industry-standard prefabricated 
components. The component- 
based systems, based on a ser- 
vice-oriented architecture, will 
run on multiple server hardware, 
portal and database platforms. 
The components are expected 
to be available by year’s end. 


Capgemini Makes 
Cuts in N. America 


Capgemini outlined plans to re- 
structure its North American op- 
eration - including 200 job cuts 
and the shuttering of more than 
half of its 40 U.S. offices. The 
cutbacks should yield $162.1 mil- 
lion in annual savings once the 
effort is completed by early July. 
Capgemini reported a 16% jump in 
first-quarter revenue to $2.2 bil- 
lion. (Read a Q&A with Cap- 
gemini’s COO at QuickLink 54212.) 


IBM to Unveil Array, 
Storage Controller 


IBM today plans to unveil a new 
AGbit/sec. midrange storage 
array. The IBM TotalStorage DS- 
4800 can perform 42,000 I/Os 
per second and is priced from 
about $54,000. It will be general- 
ly available June 17. IBM will also 
introduce Version 2.1.1 of its SAN 
Volume Controller virtualization 
appliance. It starts at $44,500 
and has a May 13 ship date. 





NEWS 


Solaris 10 Downloads 
Grow, but Usage Unclear 


Jury is still out on 


| whether customers 


will install the OS — 


BY PATRICK THIBODEAU 
WASHINGTON 
r ITs quarterly 
product-launch an- 
nouncement here 
last week, Sun Mi- 
crosystems Inc. touted the fact 
that there have been 1.3 mil- 
lion downloads of Solaris 10 
since the operating system 
was released last November. 
Sun officials said they are 
pleased with the pace of the 
downloads. But John Loia- 
cono, executive vice president 
of the company’s software 
group, said in an interview 
that it’s difficult to know pre- 
cisely what users are doing 
with the operating system. 
Until Sun releases the first 
update of Solaris 10 later this 
year and then maps installa- 
tions of that version back to 
users who previously down- 
loaded the software, “it’s hard 
to tell whether someone is just 
kicking the tires or it’s anew 





| installation,” Loiacono said. 


Gerry Vest, systems admin- 
istrator at the Southwest 
Foundation for Biomedical 
Research in San Antonio, is 
testing Solaris 10. Vest has just 
begun the process, but he said 
he’s seeing promised perfor- 
mance improvements as a re- 
sult of Sun’s rewrite of the op- 
erating system’s TCP/IP stack. 

The research lab is running 
Solaris 8 in production, and 
Vest said he expects to move 
to the new operating system 
within six months. He added 
that eventually he will likely 
run Solaris 10 on about 700 
dual-CPU servers equipped 
with Advanced Micro Devices 
Inc.’s Athlon processors. 

IDC analyst Dan Kusnetzky 
said that although Sun might 
be happy with the volume of 


| downloads thus far, “a down- 


load doesn’t translate to pro- 
duction use.” He said Sun 
needs to show that new cus- 
tomers are adoptir.g Solaris 10 
and that open-source develop- 
ers are working with the soft- 
ware, which is being released 
under a royalty-free license. 
Sun officials last week also 





More From Sun 
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put the spotlight on grid com- 
puting, an area the company is 
focusing on heavily as both a 
utilitylike service and a tech- 
nology offering for internal 
deployments. Sun is launching 
a “sneak peek” program for 

its Sun Grid Compute Utility, 
which will let users buy CPU 
cycles on an hourly basis. The 
service is due to become avail- 
able in the summer, along with 
an offering that provides stor- 
age for a monthly fee. 


www.computerworld.com 


Sun said users that want to 
run computationally intensive 
applications, batch processes 
and other jobs that aren’t trans- 
action-based have expressed 
interest in the utility model. 

For now, though, company 
officials don’t think users are 
ready to adopt Sun Grid for 
transaction processing. 

James Kennedy, a strategic 
programs system engineer at 
the national headquarters of 
the American Red Cross in 
Falls Church, Va., said he 
found Sun’s NI grid technol- 
ogy attractive for internal use. 
But running applications on a 
utility basis poses problems 
because of regulatory and se- 
curity concerns, he added. 

Among the products that 
Sun announced were NI Sys- 
tem Manager, a tool that sup- 
ports the company’s hardware, 
and an upgraded version of its 
NI Service Provisioning Sys- 
tem. Loiacono indicated last 
month that the N1 products 
would be rolled out soon 
{QuickLink 53774]. 

One person who has seen 
the new system management 
software is John Groenveld, an 
associate research engineer at 
Pennsylvania State Universi- 
ty’s Applied Research Labora- 
tory. Nl System Manager al- 
lows users “to treat a cluster 
of systems almost like a main- 
frame,” he said. @ 54249 





EMC Unveils Midrange Centera 


‘Trims capacity, 
price of array 


BY LUCAS MEARIAN 
EMC Corp. today will unveil its 
first midrange Centera content 
addressed storage (CAS) array, 
which offers the same func- 
tionality as its bigger and more 
expensive brother with only 
half the capacity — 2.2TB. 

The new Centera uses the 
same internal architecture as 
the high-end Centera system: 
a redundant array of indepen- 
dent nodes that marries one 
Intel processor to each tray of 
four disk drives. 

The new rack-mountable 
Centera can be configured for 





both storage and access. 

The midrange system is the 
first major hardware change in 
EMC’s CAS system line since 
the high-end Centera was first 
brought out in April 2002. 

“This will allow [small and 
midsize businesses] to use an 
archiving system to finally get 
their data in a sustainable 
state, and where they’re not 


| backing up the same data all 


the time,” said Anne MacFar- 
land, an analyst at The Clipper 


EMC’s new Centera storage array 





Group Inc. in Wellesley, Mass. 
The new box also incorpo- 
rates the Advanced Technolo- 
gy Attachment disk drives that 
the high-end model uses. 
Arun Taneja, an analyst at 
Taneja Group Inc. in Hopkin- 
ton, Mass., said price/perfor- 
mance improvements in future 
midrange systems may one 
day make the high-end offer- 
ing obsolete. 
To guard against that, 
EMC’s marketing scheme 
doesn’t offer expand- 
ability beyond the new 
system’s four nodes. 
“In the next two or 
three months, EMC 
will face pressure 
from the marketplace 





to make this product upgrad- 
able from four to eight nodes,” 
Taneja said. 

Like the original Centera, the 
new box comes with remote 
replication, file indexing and 
search capabilities, as well as 
several bundled software sys- 
tems that can archive data to 
meet regulatory requirements. 

Roy Sanford, vice president 
of CAS at EMC, said the new 
Centera is also available bun- 
dled with e-mail archiving 
software, such as EMC’s 
Legato DiskXtender and 
EmailXtender. 

Sanford declined to disclose 
specific pricing plans but said 
the new model will cost about 
35% less than the high-end one, 
which starts at about $148,000. 
“This will be sub-$100,000,” 
Sanford said. @ 54250 
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NETWORK EXCELLENCE 
J-Series & JUNOS, Always Performance Perfection. 


Are you sinking in a patchwork of network complexity? Can you count on your 
network to deliver the security and predictability that your business needs to 
move to VoIP or to run networked ERP applications? Or to gain the flexibility and 
cost advantages of moving remote and branch office connections from leased 
line to IPSec VPN? 


Simply leave the Status Quo for unprecedented simplicity, predictability and platform 
independence: Juniper's Jseries. The J-series, and our modular JUNOS operating system, 
is perfect for extended and distributed enterprises with business-critical application — 
ensuring superior security and quality over a converged IP network. Now forward-thinking 
enterprises, government organizations and research & education groups have a better 
alternative in forward-looking platforms: 


¢ Superior Security: Dedicated resources offer the most advanced defense from outside 
threats while giving you complete control, even under attack. Add new filters and 
policies directly, quickly, easily. 


¢ Unprecedented Uptime: JUNOS architecture allows multiple functions to run 
independently, keeping minor issues from becoming major problems. And keeping 
enterprises (and network managers) secure — in fact, just hit “rescue” for speedy 
system recovery. What's more, our next-generation CLI means accurate configuration. 
Legacy “routers” can only wish for parallel multi-function excellence. 


Performance Predictability: Congestion-ending architecture ensures the most important 
applications receive top resource priority, So you 

maintain incredible control and throughput during 

the most demanding times. 


Reduced Operational Complexity & Costs: Our 
clean-code configuration and consistent release 
schedules require minimal effort to set up and 
maintain — no wasted time on constant patches 
and upgrades. 


> SPECIFICATIONS 
Platform J2300 


Size 1U 
Site Connections 2xT1/E1/Serial 


J4300 
2U 


2XT1/E1/Serial 
to 8xT1/E1 


J6300 
2U 


2xT1/E1/Serial 
to DS3 


Fixed LAN Ports 
WAN Interface Slots 
Fixed WAN Interfaces 


WAN Interface 
Modules 


Memory 
Redundancy 


Additional Software 
Licenses 


2xFE 
n/a 
2xT1 or 2xE1 or 2xSerial 
n/a 


256 or 512 MB DRAM 
No 


Stateful Firewall, IPSec, 
J-Flow Accounting, 
BGP Route Reflector 


2xFE 

6 Open Slots 
n/a 
2xT1/2xE1/ 
2xSerial/2xFE 


256 or 512 MB DRAM 
No 


Stateful Firewall, IPSec, 
J-Flow Accounting, 
BGP Route Reflector 


2xFE 

6 Open Slots 

n/a 

2xT1/2xE1/ 
2xSerial/2xFE/DS3 
256/512/1024 MB DRAM 
Power 


Stateful Firewall, IPSec, 
J-Flow Accounting, 
BGP Route Reflector 
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New Cisco Appliances Drive 
Security 


Debate on Network 


IT execs weigh use 
of internal tools vs. 
external protection 


BY MATT HAMBLEN 
LAS VEGAS 
Network security became a 
major topic of debate at last 
week’s Interop conference, 
with differences of opinion 
emerging among networking 
vendors, service providers 
and users over where security 
tools should be applied and 
who should provide them. 
Cisco Systems Inc. used the 
conference to announce a line 
of multifunction security ap- 
pliances for defending against 
network threats. But Hossein 
Eslambolchi, AT&T Corp.’s 
CIO and chief technology offi- 
cer, responded that the proper 
place to defend against securi- 
ty threats is in the WAN back- 
bones controlled by his com- 
pany and other service pro- 





viders. That can stop attacks 
from reaching corporate 
boundaries, Eslambolchi said. 

Some network managers at 
the conference said IT securi- 
ty is so important that it re- 
quires both internal technol- 
ogy they can control and reli- 
able external protections from 
network operators. 

“You need both,” said Andre 
Gold, director of information 
security at Houston-based 
Continental Airlines Inc., 
which has been testing Cisco’s 
new Adaptive Security Appli- 
ance 5540 for the past six 
months. At $16,995, the 5540 
is the most expensive of the 
three ASA devices that Cisco 
plans to ship this month. 

Gold said he is still evaluat- 
ing whether to use the 5540. 
“Tt’s not easy to set up,” he 
noted. Nonetheless, he said 
Cisco’s ASA concept is “very, 
very appealing” because it ad- 
dresses network security man- 


Vendor Group Adds 
Net Access Specs 


BY JAIKUMAR VIJAYAN 
A proposed network access 
control standard, developed 
by a large group of vendors 
that includes IBM, Intel Corp. 
and Microsoft Corp., could 
soon help give IT managers a 
set of vendor-neutral tools for 
enforcing security policies on 
end-user devices. 

The Trusted Network Con- 
nect (TNC) specifications 
were detailed at last week’s In- 
terop conference in Las Vegas. 
Also announced at the show 
were a pair of application pro- 
gramming interfaces (API) 
that vendors can use to devel- 
op TNC-based tools, as well as 
plans for the first products im- 
plementing the standard. 

Like similar approaches 
from individual vendors such 





as Cisco Systems Inc. and Mi- 
crosoft, TNC will let IT man- 
agers set rules to permit, re- 
strict or deny network access 
to end users, depending on 
whether their systems have 
the required firewalls, anti- 
virus tools, software updates 
and configuration settings. 

Such capabilities are crucial 
for avoiding attacks launched 
via compromised PCs and 
mobile systems, said Ahmed 
El-Haggan, CIO at Coppin 
State University in Baltimore. 
“It’s great to be able to take 
care of a security problem at 
the network level before it 
reaches my servers and my 
applications,” he said. 

The core difference be- 
tween TNC and approaches 
such as Cisco’s Network Ad- 








AT&T and others 

should be in the 

network pipeline 
protecting against 
threats. | want my 
provider to do that. 
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IRVING TYLER, 
ClO, Quaker Chemical 


agement in a single box. 
The ASA 5500 line incorpo- 
rates features from Cisco’s 


| firewall, intrusion-prevention 
| and virtual private network 


products and also supports 
routing, multicasting and 
quality-of-service capabilities. 


mission Control program is 
that TNC is designed for net- 
works built around products 
from multiple vendors. 

The Portland, Ore.-based 
Trusted Computing Group 
developed TNC and plans to 
release at least four more APIs 
over the next several months, 
said Thomas Hardjono, co- 


chairman of the organization’s 


infrastructure working group. 
The interfaces will give 
vendors a standard way to 
capture, share and verify the 
various pieces of information 
that are needed to authenti- 
cate client devices and ensure 
that they comply with security 
policies, said Hardjono, a prin- 
cipal scientist at VeriSign Inc. 
Hardjono’s group is also 
working to refine specifica- 
tions for a hardware compo- 
nent called the Trusted 
Platform Module, a micro- 
controller that can store pass- 
words, digital certificates and 
configuration data for identi- 
fying and attesting to the secu- 


| are 








Jayshree Vullal, senior vice 
president of Cisco’s security 
technology group, said the 
security features in the appli- 
ances will eventually work 
their way into the company’s 
routers and switches, but she 
declined to disclose a detailed 


road map. 


The ASA offering doesn’t 
interest Irving Tyler, CIO at 
Quaker Chemical Corp. in 
Conshohocken, Pa. Tyler 
needs to protect network con- 


} nections for 300 remote users 


globally and manage networks 
serving 15 offices. 

Products like the ASA line 
“not a priority,” he said. 
“AT&T and others should be 
in the network pipeline pro- 
tecting against threats. I want 
my provider to do that.” 

Tyler likened receiving data 
over global networks to get- 
ting water in pipes at his 


| home, saying he expects a cer- 


tain level of purity so he won't 


| have to “run around and in- 


stall filters on every faucet.” 
On the other hand, Jerry 
Knaus, senior manager of IT 
infrastructure at Jeppesen 
Sanderson Inc. in Englewood, 
Colo., said Cisco’s appliances 


rity of client systems. 

But the group can’t afford to 
“waste 18 months squabbling 
among themselves about the 
finer points of their standard,” 
said Jim Slaby, an analyst at 
The Yankee Group in Boston. 
“] think there’s a lot of time 
pressure on them. There’s a 
bit of a race to get endpoint 
policy enforcement schemes 
out in the market.” 


A vendor-neutral 
standard designed to give IT 
managers tools for enforcing 
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or similar products might be 
useful because the subsidiary 
of The Boeing Co. doesn’t 
want to rely too heavily on 
network service providers to 
defend it against attacks. 

“I’m not comfortable with 
relying on my service provider 
for security, since we're trans- 
ferring important business 
knowledge such as flight plans 

| and flight data all the time,” 
Knaus said. “We need to feel 
more of a sense of control.” 

Andrew Braunberg, an ana- 

| lyst at Current Analysis Inc. in 

Sterling, Va., said Cisco’s ASA 

| rollout follows introductions 

| of similar appliances by sever- 

| al security vendors over the 

| past two years. The new offer- 

| ing is significant because of 
Cisco’s size and market clout, 
Braunberg said. But he ques- 

| tioned whether large enter- 

| prises would use the ASA 

| technology, because its fire- 
wall throughput is a relatively 


slow 650Mbit/sec. @ 54248 


| DO IT YOURSELF 


AT&T plans to rely on its own software to 
| secure its global IP network 


QuickLink 54254 
www.computerworld.com 


At Interop, for example, 
Juniper Networks Inc. out- 
lined a broad network security 
framework that it plans to fill 

| out over the next few years 
| [QuickLink 54103]. 
| And another vendor, Nortel 
| Networks Ltd., has also an- 
| nounced technologies that let 
its customers enforce network 
access control policies. 
Funk Software Inc., a Cam- 
| bridge, Mass.-based company 
that helped develop TNC, last 
week said it’s building support 
for the specifications into its 
Steel-Belted Radius/Endpoint 
Assurance server and its 
802.1x-based Odyssey Client 
software agent. Those prod- 
ucts are due to be available for 
user trials late this month. 
McAfee Inc. and Check 
Point Software Technologies 
Ltd. also demonstrated sup- 
port for TNC last week. 
Hardjono noted that a total 
of seven vendors have already 
said they will implement the 
| standard in products. @ 54251 
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Juniper, Avaya Sign 
Development Pact 


Router maker Juniper Networks 
Inc. and Avaya Inc., a developer 
of enterprise IP telephony gear, 
have signed an agreement to 
jointly develop, sell and support 
new products. Details of the 
agreement, including the type 

of products to be developed, are 
still being worked out. This latest 
pact between the two companies 
extends an earlier partnership. 


Oracle to Buy Indian 
Development Sites 


Oracle Corp. has agreed to exer- 
cise its options to purchase two 
PeopleSoft development centers 
in Bangalore, India. Financial 
terms of the deal weren’t dis- 
closed. The centers are operated 
by outsourcing services compa- 
nies Hexaware Technologies Ltd. 
and Covansys Corp. Workers at 
the centers will become Oracle 
employees after the close of the 
deal, which is expected in October. 


Nortel Q4 Sales, 
Profits Down 


Nortel Networks Corp. profits fell 
75% in the fourth quarter of 
2004 on a sales decline of 20%. 
Officials project improving finan- 
cial results through 2005. 


NORTEL BY THE NUMBERS 


REVENUE PROFIT 
Cn 


HP Pays $325M 
To Settle EMC Suit 


Hewlett-Packard Co. and EMC 
Corp. have signed a five-year 
patent cross-licensing deal that 
will end four years of litigation be- 
tween the two companies. The 
settlement calls for HP to pay 
EMC $325 million over five years 
for the purchase of EMC software 
for internal use or resale. The 
patent infringement litigation 
began in 2000 when EMC sued 
StorageApps Inc., which HP ac- 
quired a year later. HP filed a 
retaliatory lawsuit in 2002. 





NEWS 


BI Vendor CEO Blasts 
Gates’ Position on H-1B 


No need to eliminate cap on visas, 
claims Information Builders’ Cohen 





BY DON TENNANT 
Gerald Cohen, the outspo- 
ken founder and CEO of 
New York-based busi- 
ness intelligence soft- 
ware vendor Informa- 

tion Builders Inc., spoke 
with Computerworld 

late last month about 

the controversy sur- 
rounding offshore out- 
sourcing and the H-1B visa 
program. Excerpts follow: 


Bill Gates told an audience in 
Washington recently that the U.S. 
needs to get rid of the cap on H-1B 
visas. What’s your position on 
that? He’s full of it. He says, 
“Td hire a lot more American 
engineers if I could find them 
— they’re not available, and 
that’s why we're going to Chi- 
na and India.” He’s going there 
because it’s just cheaper. He 
can find all the engineers he 
wants in this country. 


A lot of CEOs at companies like 
yours are saying that they just 
can't find the people. That’s 


| bull. You know who wants 


[to get rid of the cap]? The 
Indian companies. The way 
the Indian companies work 
is they have to have a certain 
number of people here, and 
a lot more people back there 
— so they’re the ones who 
want to get all these people 
in. And they don’t even pay 
them American wages — they 
just pay them as cheaply as 
they can. 


But surely you use overseas 

labor to lower your own costs. 
I’m going to put two hats on. 
With one hat, I say we want to 
keep jobs in New York City. 
The other hat says that we 
want the company to be pros- 
perous, and if I can lower my 
costs by doing work overseas, 
the company’s more prosper- 
ous. But I’m not so sure that’s 





better for the country. 


How much of your devel- 
opment work is done out- 
side of the U.S.? We doa 
little quality-assurance 
work outside of the U.S. 
We find it’s economical 
to do the routine kind 
of QA work [overseas]. 


What's your response to the un- 
employed U.S. IT worker who says 
you should be keeping those jobs 
in the U.S.? We have to [do 
business] economically. It’s a 
real problem. The government 


is providing us with no help, 
so we’re doing [what we have 
to do] ourselves. 

If you look further down 
the road, there’s going to be 
a huge drain of IT jobs. A lot 
of these jobs that go overseas 
are the spawning grounds 
for future jobs. So the whole 
industry’s going to move off- 
shore. 


What do you want the government 
to do to help? [Indian vendors] 
will bring people into the U.S. 
cheaply. No! When you [bring 
people into] the U.S., you have 
to pay American wages. That 
would be a minimum stan- 
dard, for example. 

There are a lot of small 


www.computerworld.com 


things that could be done, but 
I have no solution for how 
we’re going to throttle this in 
some way. 


A lot of people say the education 
system in the U.S. is failing to pro- 
vide qualified IT workers. Do you 
disagree? That’s bunk. Why do 
you have declining computer 
science majors? Because every 
parent is saying, “Why major 
in computer science when all 
the jobs are going offshore?” 
It feeds itself. 

And I guarantee you, if 
it doesn’t stop, in a couple 
years, you're not going to have 
much of an IT industry here. 
@ 54191 


MORE ON THIS TOPIC 


In this issue: Don Tennant discusses 
Cohen's candor. Page 16 


More online: Go to our Web site for an 
expanded version of this interview: 


QuickLink 54143 
www.computerworld.com 





Government to Add 
20,000 H-1B Visas 


The extra visas 
were approved last 
fall by Congress 
BY PATRICK THIBODEAU 

Federal officials will finally 
open the doors to an addition- 
al 20,000 foreign workers un- 
der the H-1B visa program be- 
ginning Thursday, the U.S. Cit- 
izenship and Immigration Ser- 
vices (USCIS) agency an- 
nounced last week. 

The start of the application 
process for the new visas 
comes after a two-month de- 
lay and some controversy over 
the eligibility requirements for 
applicants. The USCIS, which 
sets immigration policies and 
rules on visa and naturaliza- 
tion petitions, said the visas 
will be granted only to for- 
eigners who have at least a 
master’s-level degree from a 
U.S. academic institution. 

That reverses the immigra- 
tion service’s initial position 
on who would be eligible. The 
agency had said in March that 





it was considering opening the 
extra H-1B slots to any quali- 
fied foreign national — not 
just those holding advanced 


| degrees from U.S. universities. 


But the agency’s earlier 
stance was contrary to the in- 
tent of the eligibility language 
that Congress inserted last fall 


| in the legislation that created 


the 20,000 additional visas, ac- 
cording to Sandra Boyd, who 
heads Compete America, a 
Washington-based lobbying 
group that represents more 
than 200 corporations and 


| universities. The group backs 


the H-1B program as a means 
of ensuring that U.S. business- 
es can hire skilled profession- 
als from other countries. 


Interpreting Language 
Boyd, who is also vice presi- 
dent of human resources poli- 
cy at the National Association 
of Manufacturers, said the 
USCIS made the “right inter- 
pretation” of the H-1B Visa 
Reform Act in the regulations 
that will be published in the 





| Federal Register this week. 


She added that the agency’s 
apparent indecision over how 
to handle the visa allocation 
process created uncertainties 
for employers as well as pro- 
spective visa holders. 

“There was a lot of confu- 
sion about whether people 
would be offered jobs,” Boyd 
said. “It made it impossible to 
plan, and it all seemed pretty 
unnecessary.” 

Christopher Bentley, a 
spokesman for the USCIS, 
said that as the agency contin- 
ued its review of the new law, 
“we came to the realization 
that this was not the intent of 
Congress” to allow workers 
without an advanced degree to 
get the added visas. 

Congress approved the ad- 
ditional visas after IT vendors 
and other H-1B supporters 
complained that the 65,000- 
visa cap in place for the gov- 
ernment’s current fiscal year 
was too low to meet demand. 
All of the visas available under 
the cap were taken by last Oct. 
1, the first day of fiscal 2005. 
The USCIS said last week that 
the extra visas will also be 
available in future fiscal years 
and will be exempt from the 
regular cap. @ 54224 
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IBM Details Its Plans for Ascential 


Users hope for 
smooth integration 


BY HEATHER HAVENSTEIN 
WESTBORO, MASS 

IBM last week detailed plans 
for folding Ascential Software 
Corp.'s integration and data- 
cleansing technology into its 
information management of- 
ferings. IBM closed its $1.1 bil- 
lion acquisition of Ascential 
late last month. 

At a press event here last 
week, IBM unveiled the Web- 
Sphere Data Integration Suite, 
which is based on an integra- 
tion platform code-named 
Hawk that had been under 
development at Ascential. 

Over the long term, IBM 
plans to use the Ascential tech- 
nology, along with its own, to 
help users access data that has 
been mostly inaccessible be- 
cause it was created as part 
of technology silos, said Janet 
Perna, IBM’s general manager 
of information management. 

The Ascential technology 
can “open up this integration 
environment to end users... 
to be able to more easily ac- 
cess the information they 
need,” she said. 

Such tools are important for 
companies as they consolidate 
information and processes 
from applications, said Judith 
Hurwitz, president of Hurwitz 
& Associates, an IT research 
firm in Waltham, Mass. 

Klaus Mikkelsen, global de- 
velopment leader at Ascential 
user Owens Corning, a Tole- 
do, Ohio-based manufacturer 
of building materials, said he 
is hopeful that the IBM plan 
can help his company. 

“The transition plan... 
seems to be the right thing to 
focus on, but I would be con- 
cerned that the integration 
efforts under way will limit 
near-term product develop- 
ment and enhancements,” 
Mikkelsen said. 

Owens Corning uses inte- 
gration technology from As- 
cential combined with busi- 
ness intelligence software to 
generate daily gross margins 
from multiple ERP systems. 





The WebSphere Data Inte- 


| gration Suite, expected to ship 


to beta users within six weeks, 


| will offer a new user interface 
| and new metadata profiling 
| capabilities. The suite will be 


generally available this fall. 
John Jaye, first vice presi- 


dent at ABN Amro Holding 


NV, a financial services firm 
in Amsterdam, said that he is 
pleased that IBM preserved 
the Hawk product. ABN uses 
DataStage TX to integrate 
with its customers and partner 


| banks to support global pay- 
| ment transactional processing. 


“The high-level road map 


| seems solid,” Jaye said, adding 
| that IBM’s plans to use Ascen- 


tial technology to help it inte- 
grate some of its other soft- 
ware products could benefit 


| his company. ABN Amro uses 


WebSphere Application Serv- 


| er and IBM MQSeries. Jaye 


| called on IBM to provide more 

| details on how it will dovetail 

| the product lines. 

| Kris Williams, program 

| manager of electronic com- 

| merce at Skyworks Solutions 

| Inc., a Woburn, Mass.-based 

| semiconductor company, also 

| said he is encouraged that 
IBM will continue to follow 


ance : 
| Ascential’s plans for the Hawk 


platform. Skyworks, formerly 
Alpha Industries, used Ascen- 
tial’s DataStage TX to help 
integrate its e-commerce sys- 
tems with those from Conex- 
ant when the companies 
merged in 2002. 

Williams also said that he 
would like to see IBM expand 
the integration between Data- 
Stage and IBM products. 

“We'd like to see . . . integra- 


| tion between products like 
| Domino, Lotus Notes and 
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DataStage,” he said. 
Perna said the IBM plan 
also calls for building a single 


| repository architecture 


including metadata discovery, 
exchange and management 
that will incorporate existing 
IBM products and a set of 


| tools that are based on Eclipse 


for WebSphere Business Inte- 
gration and DataStage TX. 
The company didn’t provide 
specific dates for the future 


additions. @ 54230 
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CURRENT INTEGRATION 
CAPABILITIES 
# Ascential transformation library 
accessible from WebSphere Infor- 
mation Integrator and WebSphere 
Business Integration. 


= Unified service-oriented archi- 
tecture across WebSphere 
Information Integration, Web- 
Sphere Business Integration 





Apple Looks to Tiger for 
Increased Server Sales 


Some users praise 


upgrade; others 
won't consider it 
BY CAROL SLIWA 

Apple Computer Inc. hopes its 
new Tiger operating system 
will help the company crack 


| open the enterprise server 


market, where its Xserve line 
lags behind Windows, Linux 
and other Unix offerings. 

But analysts said it’s unclear 
if the 10.4 version of Mac OS X 
Server, which has built-in sup- 
port for more than 100 open- 
source software technologies, 
will propel Apple beyond its 
traditional user base. That con- 
sists of academic and scientific 
institutions attracted by the 
powerful processing capabili- 
ties of Apple’s systems, as well 
as publishing companies and 
others lured by its graphics 
and multimedia technology. 

“They have a challenging en- 
vironment,” said IDC analyst 
Al Gillen. Apple’s technology 
gives it an advantage in certain 


markets, Gillen said. But, he 
added, “overall, the Unix mar- 
ket isn’t growing. The only way 
to grow is to take market share 
from one of your competitors.” 


| 

| 
| No Plans to Change | 
Fourteen of 16 IT managers | 
who responded toarandom | 
Computerworld e-mail poll | 
| last week said they have no 
plans to consider Tiger, either 
because they aren’t familiar 
with it, they see no need to 
change their existing technol- 
ogy environments or they’re 
trying to consolidate the vari- 
ous servers they now support. 

For example, Stan Johnson, 
a desktop and LAN services 
manager for the Multnomah 
County government in Port- 
land, Ore., said the county’s IT 
department has settled on 
Windows and Solaris servers 
and has no plans to evaluate 
other technologies. 

Sales of Apple’s Xserve 
systems are strongest in the 
$3,000-to-$5,999 price range of 





the Unix/RISC server market, 


and Ascential technology. 


= Metadata exchange with Ascential 
MeiaBroker for DB2 cube views. 
SHORT-TERM 
INTEGRATION PRIORITIES 
@ Release next-generation Ascential 
Hawk this year. 


= Enhance linkage between 
Ascential DataStage TX and 


according to Jean Bozman, an- 
other analyst at Framingham, 
Mass.-based IDC. In that cate- 
gory, Apple servers accounted 
for 20% of worldwide factory 
revenue and 21% of unit ship- 
ments last year, Bozman said. 
But looking at Unix/RISC 
servers priced at $25,000 or 
below, Apple had less than 5% 
of revenue and less than 10% 
of unit shipments, she said. 
Florida Community College 
at Jacksonville uses two dozen 
Apple servers for video stag- 
ing, archiving and developing 
multimedia applications, said 
CIO Rob Rennie. The servers 


Apple’s Tiger 
Server OS 


= Support for 64-bit apps 


» iChat Server for secure 
TAPE mii ceesr (iL 


PAU CHG ESA mimes) 
eval aLem el gar La 


SOME CRUEL CRs ia Ly 


Adaptive junk-mail filtering 
PU Maem atl 


CaM arc Meee) 
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WBI Message Broker. 


= Converged set of tools based 
on Eclipse. 

= |ntegrated metadata discovery, 
exchange and managemert. 

= Connectors that can be used 
across WebSphere and Ascential 
technology. 


have been “rock solid” and re- 
liable, and the college will up- 


| grade to Tiger as soon as it 
| can, he said. 


Apple servers gain entry to 
many companies by way of the 


| desktop. For instance, the art 
| department at Weather Cen- 
| tral Inc.’s newspaper group 

| uses Macintosh systems, so 

| adding Apple servers was a 

| natural step, said Chuck 

| Sholdt, vice president of 


weather services at the Madi- 


| son, Wis.-based weather 
| graphics supplier. 


Sholdt said his group in- 
stalled its first Apple server 
software about 12 years ago 
and now uses two Xserve sys- 
tems. “OS X has matured, and 
we just keep smiling every 
time a new upgrade comes 
out,” he said. 

But Macintosh usage does 
not always translate to adop- 
tion of Apple servers. About 
30% of the end users at JWT, 
an advertising agency in New 
York, run Macintosh desktops, 
said Steve Bumba, JWT’s 
worldwide systems director. 
But Windows is the official 
server platform, and Apple 
servers turn up only in isolated 
workgroups, he said. @ 54247 
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EDS Earns Profit on 
5% Sales Decline 


Electronic Data Systems Corp. 
reported a first-quarter profit, 


compared with a year-earlier loss, | 


despite a 5% sales decline. The 
results included the expensing of 
stock options, which started on 
Jan. 1. 


EDS BY THE NUMBERS 


[sie 


Cerner Buys French 
Technology Firm 


Cerner Corp. has acquired Axya 
Systemes, a Paris-based health 
care IT company that specializes 
in financial, administrative and 
clinical solutions for hospitals. 
Terms of the deal weren't dis- 
closed. The acquired company’s 
new name is Cerner France. 
Anne-Veronique Dufresnoy and 
David Kalfon, founders of private- 
ly held Axya, will remain with 
the firm. 


Microsoft R&D Aims 
At Small Vendors 


Microsoft Corp. will give small 
companies access to a library of 
technologies developed by its re- 
search and development teams. 
Under the new Microsoft IP Ven- 
tures program, small firms can 
license technologies to ease the 
development of products and ser- 
vices. In return, Microsoft is ask- 
ing for royalty payments or a 
stake in the user company. 


SANS Lists Top 20 


Internet Flaws 


The SANS Institute has published 
its latest list of the top 20 critical 
Internet security vulnerabilities, 
which it says companies should 
patch immediately. The list for the 
first quarter of 2005 is dominated 
by Microsoft software but includes 
problems with products from Ora- 
cle Corp., Computer Associates In- 
ternational Inc., Real Networks 
Inc. and some antivirus vendors. 
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Goins Wwice THe Performanc 
Limit AcAin,DR Moore? _ 


Intel Updates 


Moore’s 


Law... 


. .. by using dual-core CPUs to double the transistors on a 
chip. Forty years ago last month, Gordon Moore, now 
Intel Corp.’s chairman emeritus, unveiled his “law” 
that the number of transistors on silicon chips will 
double every 18 to 24 months. And so they have. The 


current version of 
Intel’s Itanium 2 proc- 
essor houses 410 mil- 
lion transistors, al- 
most double the 220 
million in its prede- 
cessor. The future 
holds something 
slightly different: 
multicore chips that at least 
double the transistor count, 
but in two or more CPUs built 
as one package. Intel plans to 
use dual-core technology in 
all of its product lines. For ex- 
ample, Stephen Smith, vice 
president and director of 
desktop platforms at Intel, 
says the first dual-core Itani- 
um processor, code-named 
Montecito, is on track to start 
shipping later this year from 
the company’s fabrication 
plants and should appear in 
servers from Dell Inc., Hew- 
lett-Packard Co. and others in 
early 2006. A dual-core Xeon 
chip is also due next year. By 
the end of 2006, 80% of new 
servers will be dual-core sys- 
tems, Smith estimates. Appli- 
cations that have been specif- 
ically written for parallel pro- 


1.7B 


Transistors on 
Intel’s dual- 
core Montecito 
processor. 


cessing systems — 
or that are “thread- 
aware,” as he puts it 
— should run dramati- 
cally faster on dual- 
core chips. Smith 
points to studies 
showing that the hu- 
man mind has an at- 
tention span of one-half sec- 
ond before wanting to move 
on to the next stimulus — 
hence, Intel’s constant striv- 
ing to ensure that our bore- 
dom is minimized with ever 
swifter computers. 


Service providers 

make mobile . . . 

...- mail a better option. This 
week, Rogers Wireless Inc., a 
subsidiary of Toronto-based 
Rogers Communications Inc., 
will unveil a mobile e-mail 
service based on technology 
from Visto Corp. in Redwood 
Shores, Calif. According to 
Suzanne Panopolis, Visto’s di- 
| rector of marketing, the com- 


Sra Chaucer eI 
reat deen T LT 
have mobile e-mail. 








pany’s Con- 
stantSync 
software lets 
mobile users 
synchronize 
their corpo- 
rate e-mail 
systems 
with the 
mail sent to 
their hand- 
held gadgets 
— and vice versa. Panopolis 
says Visto’s technology is de- 
vice-agnostic and gives IT 
managers more flexibility in 
outfitting mobile workers 
who need e-mail with less- 
expensive handhelds that are 
more appropriate to the task. 


PANOPOLIS 
Sync corporate 
and mobile 
e-mail. 


| Panopolis claims that through 


the Rogers deal and a similar 
one with London-based 
Vodafone Group PLC’s wire- 
less division, her company 
will have 500,000 subscribers 
to the Visto mail-synchroniz- 
ing service by midyear. 


Data, data, data, data 
and, yes, even... 

. .. more data. Kerry Gilger, 
CEO of FYI Corp. in Mel- 
bourne, Fla., claims that his 
company has come up with 

a way to address the over- 
whelming deluge of informa- 
tion end users must navigate: 
KEGS. No, it doesn’t involve 
swilling beer while studying 
spreadsheets or gazing at 
PowerPoint presentations. 
KEGS is FYI’s shorthand for 
“knowledge-enhanced graph- 
ical symbol,” which it de- 
scribes as a visual element 
that can help end users 


| immediately grasp complex, 


data-drenched conditions — 
everything from a patient’s 
medical state to the real-time 


| health of a global sales orga- 


nization. The company’s FYI 
Visual 2.0 software ships with 
dozens of templates designed 
for specific business func- 
tions, such as help desk and 
manufacturing operations. A 
color-coded KEGS indicates 
whether a given parameter is 
above, below or within ex- 





HOT TECHNOLOGY TRENDS, NEW PRODUCT 
NEWS AND INDUSTRY BUZZ BY MARK HALL 


pectations. A quick glance 
can give an executive a situa- 
tional view that he can then 
drill into for more details. 
FYI Visual also includes 
adapters that work with most 
of the major packaged enter- 
prise applications. Version 
2.5, which is due later this 
quarter, adds geographical in- 
formation system data to the 
visual displays. Pricing starts 
at under $100,000. 


If it’s on your 

network, do you... 

. . . know where or what it is? 
And do you know whether 
you even need it? Glenn 
Wienkoop is betting you’re 
probably clueless. He’s the 
president of Mountain View, 
Calif.-based BDNA Corp., 
which this month will begin 
spending $12.5 million of ven- 
ture capital to convince IT ex- 
ecutives that they need even 
more data about their opera- 
tions. (If you think you're al- 
ready deep in information 
overload, see item above.) 
Wienkoop 
says lots of IT 
shops have 
far too many 
licenses for 
their software 
and probably 
have numer- 
ous devices 
on their net- 
works that 
they know nothing about. 
With BDNA’s iGovern asset 
management tools, you get 
more than 10,000 “finger- 
prints” of potential hardware 
and software running on your 
network, he says. Oh sure, 
most asset discovery packages 
can locate an Oracle database 
on a Sun server. But iGovern 
can even find Xboxes and CT 
scanners, Wienkoop says. It 
lets you know whether you've 
paid for too many licenses for 
each application on your net- 
work — or maybe for too few. 
Pricing is based on the num- 
ber of IT assets that are being 
tracked. @ 54206 
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Mr. 50,000 Global 
Remote and Mobile 
Users Connected 
Without a VPN. 
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“At Nissan, we expect to save at least $135 milfion 
annually thanks to the efficiencies au iets (once 
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Make a name for yourself with Windows Server System. An upgrade to Microsoft” Windows Server System” 
made it possible for 50,000 worldwide employees at Nissan Motor Company to have more secure 


remote access to their e-mail and calendars from any Internet connection, without the hassle and Microsoft 


expense of a VPN. Here's how: By deploying Windows Server™ 2003 and Exchange 2003, not only did Windows 
Nissan IT meet the CEO's demand for better global collaboration, they expect to save at least $135 


million by streamlining their messaging infrastructure. To get the full Nissan story or find a Microsoft Server Syster ! } 


Certified Partner, go to microsoft.com/wssystem 


Aussie State to Ban 
E-mail Surveillance 


SYDNEY, AUSTRALIA 

HE PARLIAMENT of New South 
Te Australia’s most populous 

state, is expected to pass legisla- 
tion this week that bans employers 
from secretly monitoring the e-mail of 
workers unless there is a court order 
or suspicion of wrongdoing. 

Violations of the Workplace Surveil- 
lance Bill, which also covers the use of 
video cameras and tracking devices, 
would be a criminal offense punishable 
by a fine of up to 5,500 Australian dol- 
lars ($4,278 U.S.) for each person in- 
volved in covert surveillance. 

The bill was introduced last week by 
the state government’s executive 
branch. “We don’t tolerate employers 
unlawfully placing cam- 
eras in change rooms and 
toilets,” said New South 
Wales Attorney General 
Bob Debus. “Likewise, 
we should not tolerate 
unscrupulous employers 
snooping into the private 
e-mails of workers.” 

He said the bill strikes 
a balance between an 
employee's right to priva- 
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cy and the legitimate needs of employ- 
ers to protect their intellectual and 
commercial property. 

“Unless employers have a court or- 
der, they would need to give employ- 


| ees notice that surveillance will be 


conducted,” Debus said. 
w SANDRA ROSSI, COMPUTERWORLD 
TODAY (AUSTRALIA) 


UBS Completes Big 
Mainframe Migration 


URICH-BASED financial services 
Lie UBS AG announced late last 

month that it has completed the 
migration of its integrated banking ap- 
plications from Unisys Corp.’s OS 2200 
mainframe technology to IBM’s z/OS- 
based hardware in just 12 months. 

The applications, which touch every 
function critical to the 
bank’s daily operations, 
had to be moved without 
causing a hiccup in cus- 
tomer service, UBS said 
in a statement. 

The ambitious under- 
taking — so important 
that it was supervised by 
UBS Managing Director 


~ NEWS” 


| 2,000 online programs, 5,000 batch 
programs, 3,000 database objects, 
10,000 data records and over 300,000 
| program tasks. 

Technical assistance was provided 
by HAL Knowledge Solutions SpA, a 
developer of application portfolio 
management tools in Milan, Italy. The 
vendor’s technology made it possible 
for 98% of the program migration to be 
| done via automated tools, UBS said. 


Public Alert System 
About to Go Global 


QUANT NY, an international net- 
FE von services provider based in 

Amsterdam, last week said it was 
selected by Unified Messaging Sys- 
tems AS (UMS) in Oslo to host and 
manage a global alert system that lets 
governments and businesses send a 
| single emergency message to a mass 
audience. 

For example, in a public emergency 
requiring evacuations, customers such 
as the Red Cross, utilities, and fire and 
police departments could send a voice 
message or short text message to thou- 
sands of people in a selected geograph- 
ic area. Message recipients could then 
call Equant’s international contact cen- 
ter to get more information. 

The Equant deal will allow UMS to 
offer its alert service outside of Scandi- 


navia. @ 54205 
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Briefly Noted 


Metro AG, a Dusseldorf, Germany- 
based retailer, and Intermec Tech- 
nologies Corp. last week announced 
the first public demonstration of 
Generation 2 radio frequency iden- 
tification tags and readers at an 
RFID conference in Paris. Metro ex- 
pects more than 100 of its suppliers 
to migrate to the new, standardized 
Gen 2 RFID technology for asset 
tracking and inventory control by 
the end of this year. 


BT Group PLC in London last week 
announced a multiyear contract to 
provide global communications ser- 
vices to Jacobs Engineering Group 
Inc., a $4.6 billion company in 
Pasadena, Calif. The deal covers 
LANs, WANs and remote access at 
Jacobs operations in 30 countries. 
Financial terms weren't disclosed. 
Thrifty Car Rental, a unit of Dollar 
Thrifty Automotive Group Inc. in 
Tulsa, Okla., last week said it has 
finished translating its Thrifty.com 
Web site into French, German and 
Spanish using the translation ser- 
vices and global content manage- 
ment system of New York-based 
Translations.com Inc. 





IT’s Transformative Era 
Eludes Most Companies 


Mundane issues 
are still holding 


back progress 


BY THOMAS HOFFMAN 
CAMBRIDGE, MASS 
Wrenching changes to the way 
companies can operate global- 
ly, combined with massive in- 
vestments in fiber optics and 
other technologies, have paved 
the way for a truly transforma- 
tional period in IT, contends F. 
Warren McfFarlan, a professor 
at Harvard Business School. 
But while some leading 
companies are able to leverage 
the new business opportuni- 
ties that are now opening up 
under a shifting global econo- 
my, most IT organizations 





continue to be hampered by 
day-to-day system repairs, 
compliance demands and oth- 
er mundane requirements, 
said panelists and attendees at 
Cutter Consortium’s Summit 
2005 conference here last 
week. “Of the nearly 50 years 
I’ve been in IT, 2005 is proba- 
bly the most exciting, trans- 
forming time for business ap- 
plications,” said McFarlan. 

He noted that the emer- 
gence of global business proc- 
ess outsourcing — where 
companies can transfer entire 
functions such as accounting 
and human resources to third- 
party companies on the other 
side of the world — has led to 
“the death of distance.” 

Such developments, along 





with the massive changes in IT- 
enabled business activities that 
have been made possible by 
the World Wide Web and other 
breakthrough technologies, re- 
flect how the industry is mov- 
ing from the “cow path” creat- 
ed over the first 40 years of IT 
to a more transformational en- 
vironment, McFarlan said. 


Stupid IT Tricks 

However, other speakers who 
joined McFarlan in a panel dis- 
cussion at the conference said 
those opportunities won't 
come easily for most compa- 
nies. “As transforming as the 


technology can be, it’s not pre- | 


venting our clients from doing 
stupid stuff” with IT, said Tom 
Bugnitz, a consultant with Ar- 
lington, Mass.-based Cutter 
and president of The Beta 
Group in St. Louis. 

Another problem is that 
some organizations want to 





outsource nonstrategic opera- 


| tions that may be in disarray, 


said Lou Mazzucchelli, a Cut- 
ter consultant and a venture 
partner at Ridgewood Capital 
Management LLC in Ridge- 
wood, NJ. Badly functioning 
systems or business processes 
can’t be fixed simply by out- 
sourcing them, he said. 

Still, Mazzucchelli agreed 
with McFarlan that the corpo- 
rate community may be enter- 
ing the “mastery phase” of ex- 
ecuting on the IT groundwork 
that has been laid over the 
past 40 years. 

In the health care industry, a 
majority of IT projects fail be- 
cause they’re poorly aligned 
with business strategies, said 
John Halamka, CIO at Harvard 
Medical School and Care- 
Group Inc. Halamka advocated 
“wrapping” legacy applications 
with middleware to help drive 
new business functionality and 





then replacing systems “when 
you have the luxury of time.” 

An employee of a telecom- 
munications company who 
asked not to be identified 
complained that the need to 
comply with the Sarbanes- 
Oxley Act has led to addition- 
al checklists and sign-offs 
that are slowing down IT proj- 
ects and frustrating business 
sponsors. 

McFarlan acknowledged the 
challenges to organizational 
transformation that were cited 
by the conference attendees. 
Still, he contended that the 
“technology friendliness” of a 
company’s CEO “goes a long 
way toward achieving these 


types of things.” @ 54201 


IT'S ALL POLITICAL 


Political savvy helps IT execs advance their 

own causes — and those of their companies: 
QuickLink 54203 
www.computerworld.com 
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Continued from page I 


up, maintenance and training 
for the patient-charting and 
medication-prescribing soft- 
ware for a monthly fee. Mor- 
gan Haugh plans to purchase 
additional software licenses 
from McKesson as it adds 
clients, Paul said. 

While software and hard- 
ware costs for smaller prac- 
tices could total hundreds of 
thousands of dollars, Paul’s 
group can offer EMR services 
for several hundred dollars 
per month, he said. 

The Harbin Clinic LLC, a 
Rome, Ga.-based practice with 
about 130 physicians, plans to 
begin offering hosted access to 
its EMR system within the 
next two months, said CIO 
Thomas Fricks. 

The practice uses an EMR 
system from Chicago-based 
Allscripts Healthcare Solu- 
tions Inc., which will license 


Continued from page 1 


held the 40 data tapes was lost 
on March 22, Time Warner 
spokeswoman Kathy McKier- 
nan said. The tapes went miss- 
ing during a routine shipment 
to an off-site facility by records 
management and storage firm 
Iron Mountain Inc. McKiernan 
wouldn't provide more details. 
However, McKiernan did say 
Time Warner is trying to con- 
vince officials at Boston-based 
Iron Mountain to change some 
of their handling procedures. 
She declined to expand on the 
status of those discussions. 
The $42 billion New York- 
based media giant also said 
it has provided the affected 
employees with resources to 
monitor their credit reports. 
The lost tapes didn’t include 
data about Time Warner cus- 
tomers, the company said. 
Larry Cockell, Time Warn- 
er’s chief security officer, 
added that “we are working 
closely and aggressively with 
law enforcement and the out- 
side data-storage firm to get to 
the bottom of this matter.” 





Almost two-thirds of the 
respondents said EMRs will be 
their most important applica- 
tion in the next two years. 


About 18% said that their 
organizations have a fully oper- 
ational EMR system in place. 
42% said their organizations 
are installing EMR systems, 
while 22% have developed 
aplan to deploy EMR. 
17% said their organizations 
don't have plans to deploy 
EMR technology. 
BASE: 253 IT executives at U.S. health 
care organizations who completed a 
Web-based questionnaire between 
Dec. 6, 2004, and Jan. 26, 2005 
the software to Harbin at a 
discount. The clinic will pro- 
vide frame-relay access to its 
practice clients, Fricks said. 


Iron Mountain said it has 
had four incidents of tapes go- 
ing missing this year. In late 
April, Ameritrade Holding 
Corp. in Omaha lost a data 
tape with the names of 
200,000 clients [QuickLink 
53906]. At the time, the com- 
pany wouldn’t disclose how 
the tapes were lost, but in an 
interview last week, Ameri- 
trade CIO Asiff Hirji said that 
the tape fell off a conveyer 
belt in a shipping facility. 


Assuming the Worst 


Hirji, who wouldn’t identify 
the carrier, said that for “what- 
ever reason,” the shipper took 
“a bunch” of tapes out of its 
original secure box and placed 
them into another box. Some- 
time after that, the second box 
was damaged on the conveyer 
belt, and four tapes fell out. 
“We found three,” he said. 
“That other tape, I’m almost 
100% sure, is somewhere in 
that facility — probably in the 
rubbish bin. Or it has been de- 


stroyed in their lost and found. 


However, we can’t take that 
chance. We have to assume it’s 
lost and has gotten into nefari- 
ous hands. I’m not pointing 





Harbin will provide first- 
and second-level support for 
the e-prescribing, electronic 
tasking and lab results software 
with its 20-member IT staff 
and run the software on its 
servers. The practices buying 
access would pay for the indi- 
vidual physician licenses they 
use, communications costs to 


connect with Harbin, and hard- | 


ware such as laptops, desktop 
PCs or tablet PCs, he said. 

Fricks wouldn't estimate a 
cost for the hosted service but 
said it would be “substantially 
less” than the price a small 
practice would pay to move 
ahead on its own. 

“It makes a lot of sense for 
us to get close to that referral 
base, from a business point of 
view and from a patient point 
of view to share information,” 
he added. 

Allscripts has been quietly 
working to advance the 
concept of larger practices 
sharing its software with 
smaller practices for the past 


fingers. I’m not deflecting 
blame. It’s our responsibility.” 
Like Time Warner, Ameri- 
trade is taking steps to protect 
the confidentiality of clients 
whose names and/or Social 


Lost Data 


Some of the major data thefts 
or losses this year: 


FEBRUARY: ChoicePoint 
discloses that hackers accessed 
data on 145,000 people. 


MARCH: Retail Ventures Inc. 
reports theft of credit card infor- 
mation from 103 of its 175 DSW 
Shoe Warehouse stores. 


MARCH: Bank of America admits 
losing backup tapes with credit 
card data on 1.2 million customers, 
including 60 U.S. senators. 


MARCH: Reed Elsevier reveals 
hackers stole information on at 
least 32,000 people from Lexis- 
Nexis databases . 


APRIL: Ameritrade Holding 
admits losing a backup tape 
containing personal information 
on 200,000 clients. 


MAY: Time Warner says it lost 
40 backup tapes with information 
on about 600,000 workers. 





| several months, Fricks added. 


For several years, William 
Davis, an independent family 
practitioner in a four-member 
practice in Winona, Minn., has 
been using EMR software from 
Kansas City, Mo.-based Cerner 
Corp. that is run by an area 
hospital. The hospital gives 
Davis access to the software 
for the same cost he would pay 
monthly for an individual li- 
cense and handles networking 
and hardware support. Cerner 
employees at the hospital han- 
dle software problems. 

“If we have software issues, 
we can get it resolved often 
within minutes, [and] we 
haven’t had any significant 
downtime,” Davis said. 


Exploring New Territory 
While hospitals commonly of- 
fer EMR access to physician 
practices they own, many are 
now offering fee-based access 
to independent physicians. 
North Memorial Health 
Care, an independent hospital 


Security numbers were on the 
lost tape. For example, the 
company has stepped up mon- 
itoring to detect whether any 
identities have been compro- 
mised. So far, Hirji said, there 
has been no evidence of com- 
promised data. 

Hirji said Ameritrade is also 
looking at encrypting data 
on archive tapes and using 
shipping boxes that can’t be 
opened so easily. 

Melissa Burman, director of 
corporate communications at 
Iron Mountain, said her com- 
pany has stepped up training 
of employees in the handling 
of sensitive data on tapes. 

“We're doing 5 million pick- 
ups and deliveries a year; 
that’s a huge volume. We do 
have incidents from time to 
time,” she said. “We will look 
at every opportunity we can to 
make incremental improve- 
ments in our process.” 

Moreover, Burman said, 
customers need to encrypt 
private information on their 
backup tapes. 

Bart Lazar, a privacy and in- 
tellectual property lawyer and 
partner at the law firm Seyfar- 
th Shaw LLP, in Chicago, said 





in Robbinsdale, Minn., is host- 
ing a meeting in two weeks to 
gauge the interest of about 
600 affiliated physicians in ac- 
cessing the hospital’s Epic Sys- 
tems Corp. EMR system 
through a hosted model, said 
Pat Taffe, the hospital’s CIO. 

“It is definitely new ground 
that is being plowed right now 
with affiliates,” he said. 

The notion of smaller prac- 
tices outsourcing EMR soft- 
ware from larger practices and 
hospitals may be one of the 
few economically feasible op- 
tions for these users to gain 
access to full-featured EMR 
systems, said Mark Leavitt, 
medical director of the 
Healthcare Information and 
Management Systems Society. 

Still, he noted that they 
must walk a fine line to com- 
ply with federal legislation 
that prohibits hospitals from 
offering doctors incentives — 
like discounted rates — to 
refer patients to the hospital. 


@ 54233 


that as data-loss incidents pile 
up, the companies found 
responsible will likely face 
pressure to change their data- 
security standards. Most of 
the pressure, he noted, won’t 
come from Congress but from 
insurance companies requir- 
ing more stringent safeguards. 

Part of the current problem, 
Lazar said, is that companies 
don’t have proper chain-of- 
custody requirements or en- 
cryption technology in place. 

“T’ve dealt with many of 
these companies, and if you 
ask them what happens with 
their data... they can’t chart 
it,” he said. “Or the companies 
know what to do, and they just 
haven’t committed the re- 
sources to do it.” 

Lazar said data-loss inci- 
dents will also likely spur 
companies to turn to internal 
data-protection schemes in- 
stead of using third-party ser- 
vice providers or external data 
processors. @ 54195 


MORE ON AMERITRADE 


Q&A: Ameritrade CIO Asiff Hirji discusses 
the Datek merger and Ameritrade’s use of 
midrange storage equipment and open- 
source technologies. Page 41 
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_ OPINION 


DON TENNANT 


Courting Controversy 


ITHIN MINUTES after my Q&A 

with Gerald Cohen was posted 

on our Web site last week [Quick- 

Link 54143], the e-mails started 

pouring in. The founder and CEO 
of business intelligence software vendor Information 
Builders had certainly stirred some emotions with 
his comments against offshore outsourcing and lift- 


ing the H-1B visa cap. 

“Congratulations for 
letting someone tell it like 
it is! Gerald Cohen de- 
serves a medal,” cheered 
one reader. “This guy is 
an American hero for 
sticking to his guns and 
bucking the popular 
trends,” gushed another. 

A third had quite a differ- 
ent view: “Mr. Cohen is 
not only wrong, but also 
foolish,” he grumbled. 

When you get polar op- 
posite reactions to what you’ve said, 
you know you’ve said something 
worthwhile. That Cohen is worth lis- 
tening to stems from the simple fact 
that he doesn’t avoid controversy. In 
fact, he appears to relish it. 

He didn’t seem particularly 
thrilled to discuss the delay of his 
flagship WebFocus 7 product (it’s 
now expected to ship “a month or 
two” late, sometime this summer), 
but other than that, he was as candid 
as they come. Cohen was perfectly 
willing to chime in, for example, on 
the recent troubles at Siebel Sys- 
tems. (“It’s an unpleasant company 
to work for. ... The remarkable thing 
about Siebel is they survived.”) 

Cohen’s most colorful comments, 
by far, came during our discussion of 
the offshore outsourcing and H-IB is- 
sues. He said he doesn’t buy the argu- 
ment about outsourcing to India as a 
means of getting a foothold in that 
market. (“What are you selling in 
India? Zilch.”) And he scoffed at Bill 
Gates’ recent statements about there 
being a need to get rid of the H-1B 





visa cap. (“He’s full of it.”) 
I love a good sound 
bite as much as the next 
interviewer, but what I 
appreciated even more 
was Cohen’s candor with 
respect to the dilemma 
he faces over what he has 
to do to keep his own 
company profitable. As 
chairman of the New 
York Software Industry 
Association, Cohen is 
obliged to champion the 
cause of keeping IT jobs in the U.S. 
— he’s clearly an advocate for re- 
stricting H-1B visas and for avoiding 
offshore outsourcing. But he ac- 
knowledged that Information Build- 
ers sends “the routine kind of quality 
assurance work” offshore. “I can get 





things done cheaper in Moscow than 


I can in New York City,” Cohen said. 

Still, he didn’t shy away from the 
fact that “a lot of these jobs that go 
overseas are the spawning grounds 
for future jobs.” QA work has tradi- 


| tionally blazed a career path to pro- 


gramming and ultimately to more 
advanced software design, so send- 
ing it offshore damages the employ- 
ment ecosystem. “The whole indus- 
try’s going to move offshore,” Cohen 
lamented. 

So, what’s the answer? Cohen 
doesn’t pretend to have it. “I have 
no solution for how we're going to 
throttle this in some way,” he said, 

But you know what? At least he’s 
willing to talk about it, and to do so 
with candor and humility. I don’t 
know that there’s much more we can 
ask for. What’s unfortunate is that so 
few people are willing to even dis- 
cuss the topic on the record because 
they’re afraid of being judged in the 
court of public opinion. 

I don’t know whether Cohen is 
an American hero who deserves a 


medal, but I do know he’s not foolish. 


What’s foolish is thinking you can 
be a respected leader without being 
willing to speak your mind. @ 54202 
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BRUCE A. STEWART 


All Packaged 
Up, Nowhere 
‘lo Go 


URING THE PAST 10 
years, we in IT have 
done a solid job of 


weaning ourselves from the 
notion that custom applications are a 
good idea. 

Packages have replaced our applica- 
tions of old. When we want something 
new, our first thought is to look for a 
product we can buy. 

If the goal is simply to provide tech- 
nology to support the enterprise, that’s 
the right way to go about it. But the 
game is changing again, and custom 
applications are returning to the fore. 

IT is now woven throughout the en- 
terprise, and there are few job func- 
tions nowadays that don’t depend on 
the continuing oper- 
ation of some IT sys- 
tem. With plant 
floors receiving ma- 
terials through the 
workings of IT sys- 
tems, even workers 
on the line depend 
on IT (even if they 
don’t experience it 
directly). But the 
challenge is this: If 
everyone has the 
same stuff, how do 
we differentiate our- 
selves from our com- 
petitors? 

In his book Does 
IT Matter?, Nicholas 
G. Carr argues that 
we don’t — and shouldn’t. But CEOs 
disagree. 

Bruce Rogow’s firm, Vivaldi Odyssey 
and Advisory, reports that CEOs con- 
sider as much as 30% of their business- 
es to be “dead” — they’re producing 
products and taking in money, but they 
have no growth potential and must 
compete solely on price. CEOs are 
calling for innovation to produce 
growth. 

But innovation can’t be found in the 
packaged application market. Business 
processes, problems and methods 
must become common before a pack- 
age can find the repeat business need- 
ed to make it a successful product (and 
justify its development costs). Poten- 
tial clients must be (or be willing to 
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become) similar enough to implement 
the package and have it fit their needs. 
What this says is that companies will 
share a base of common enterprise sys- 
tems but season those with applica- 
tions that are unique. 

Before jumping up and down with 
joy (“The fun is back in IT!”) or hang- 
ing your head in despair (“That’s how 
we blew our budget and credibility be- 
fore!”), stop and recognize that some- 
thing else has changed. Service-orient- 
ed architectures and the creation of 
Web services have made creating cus- 
tom extensions — even whole new ca- 
pabilities — less risky than in the past. 

This brings us to the real point of 
custom code. It should be focused and 
light, just enough to get the job done. 

To get there, we also have to adopt 
new practices. Start by rigorously sep- 
arating your requirements from your 
specifications. Requirements are about 
the problem you are solving and the 
work the custom code will do (or the 
product it will be). Good requirements 
talk about how each item in the func- 
tions being designed can directly lead 
to measurement of a business result. 
(Business cases are developed from 
these; the proof that value was deliv- 
ered comes from measuring the results 
later.) Specifications, on the other hand, 
are about how the solution is delivered. 

Getting the requirements done allows 
you to know precisely what you are im- 
plementing — and then to do no more 
than that. (Do you use, or even know 
the function of, all the buttons on the 
tool bar in any application? It’s waste- 
ful to overbuild.) Freeze these (you're 
delivering a product, and time to mar- 
ket matters) and get it built. There’s al- 
ways Release 2 for new requirements 
that emerge later. 

Deliver innovative solutions that do | 
“just enough,” and become victorious 
in your CEO’s eyes. @ 54038 
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IT May Have 
Become [oo 
Invisible 
HERE’S no such thing 
as bad publicity, they 


used to say in Holly- 


wood. Far better to be talked 
about negatively than not to be thought 
about at all. 

The IT profession may be in need of 





OPINION 


some publicity. The results 
of a recent survey of 55 of 
the top executive MBA can- 
didates — degree-seeking 
students who have full-time 
jobs — at the Fisher College 
of Business at Ohio State 


| University indicate that IT 


— what it is, what it does 
and what it can do — isn’t 
on the minds of next-gener- 
ation business leaders. 

@ 75% said they didn’t 


| think much about IT. 


@ 66% didn’t know who 
the CIO was at their company. 

@ 48% had “never actually met an 
IT person.” 

®@ 63% were hard-pressed to articu- 
late the IT strategy of the company 
they worked for. 

@ 84%, when asked to recall personal 
experiences related to IT, cited very 
negative situations, such as IT failing 
to deliver on something. 

This data correlates with research 
conducted at the IT Leadership Acade- 
my that documented that IT has an im- 
age problem. In addition, large subsets 
of the IT tribe are experiencing an 
identity crisis, exhibiting pronounced 
uncertainty about the roles they play 
today and will play in the future. 

The image problem involves the 


Vendors Can Be 
True Partners 





| the vendor/customer relationship. 
| Such thinking has led to reverse 


| bee familiar with emerging re- 


a function of whether leadership can 


| til recently, many in IT, myself includ- 
| ed, labored under the impression that 

| the first step on the path to success is 

| to understand how each discipline 

| thinks. We were wrong. The real first | 


external awareness or per- 
ception of who IT is and 
what it does. The identity 
problem concerns an inter- 
nal awareness of who IT is 
and what it does. Image is 
linked tightly to reputation, | 
which is defined as the col- 
lective judgment by out- 
siders of an organization’s 
actions and achievements. 
It’s one thing to be judged 
harshly. It’s quite another 

not to be judged at all. 

Most IT leaders are 


search that characterizes the con- 
temporary enterprise as an assembly 
of skills tribes — marketing, finance, 
operations and IT. These tribes 
should be — but in most cases aren’t 


| yet — integrated. Each tribe has its 


own language, belief system and set 
of rituals. 


Success for the enterprise is seen as 


get the tribes to play well together. Un- | 


step is to make sure the other tribes | 
know you exist. 
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The mission for many IT shops is to 


| go unnoticed in the way that an eleva- 
| tor goes unnoticed when it’s function- 
| ing properly. But have we become too 

| invisible? Has IT fallen off the radar 


screen of the next generation of busi- 
ness leaders? If so, how do we build 
credibility with those leaders? 
Conventional wisdom tells us that 
any enterprise has three primary agen- 
das: the build agenda, the run agenda 
and the change agenda. Having taken 


| part in those first two agendas by 
| building (or at least providing) the 
company’s IT infrastructure and then 


migrating it to a lights-out mode of 


| operation, IT has one obvious role re- 


maining: to participate actively and 
contribute substantively to enterprise 
transformation and innovation. 

The challenge for the discipline is 
that most of the executives currently 


| involved in such activities don’t think 
| of IT as being able to contribute much 


in the transformation and innovation 


| arena. What’s worse, the people who 


will take those executives’ places don’t 


| really think about IT people at all. We 
| have to change this. @ 54098 
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More columnists and links to archives of previous 
columns are on our Web site 
www.computerworld.com/columns 


Tay 


| The Key Is Strong 
Authentication 


over Fibre Channel and doesn't 
need Apple's operating system to 


N THE INTERVIEW on vendor 

negotiations [“Tough Tactics,” 
QuickLink 51968], Joe Auer says, 
“First, it's a fantasy that it's a part- 
nership.” That is incorrect. A good 
partnership depends on trust and 
room for value-add. In my industry 
(construction), contracts come with 
many pages of legal discussions of 
what happens when things go bad, 
and everybody knows that the best 
resolutions occur when nobody 
ever has to refer to those pages. 
And the worst resolutions occur 
when they do refer to those pages 
and the lawyers parse them. A part- 
nership can be real as well as ex- 
tremely rewarding when it is based 
on differing expertise and an ex- 
pectation that both parties will ben- 
efit from the transaction. In busi- 
ness, as in life, you cannot have 
your friends and eat them too. Your 
suppliers won't be there for you if 
you drive them out of business. 

Auer’s viewpoint is corrosive to 


| auctions and the damaged relation- 
| ships that have followed. While 

| there are commodity-based and 

| price-based transactions, there are 
| also knowledge-based and trust- 

| based ones. 

| Stephen Herdina 

Cincinnati 


Punish the Guilty 


HE ARTICLE “Microsoft Gives 





Blaster Author a Break on Dam- 
| ages” [QuickLink 53500] stated 
| that in lieu of paying $497,546 in 


restitution, Jeffrey Lee Parson will 
have to do 225 hours of community 
service over a three-year period. 
What crap. The guy causes all that 


| damage and gets to work off the 
| fine at $2,211 an hour, for less than 


an hour and a half a week. Do you 


| think for a second that this type of 
| treatment is a deterrent? 


Larry M. Litwin 
Programmer/analyst, 
Albany, N.Y. 





ECENT NEWS about hackers 


stealing information shows that | 
we have arrived at a crisis point. The 
| as much capacity. Just because the 


information can be rendered unus- 
able, however. The trick is to imple- 
ment strong authentication, using 
PKI certificates. The current one- 
way SSL approach is inadequate, 
because user authentication using a 
username and PIN is rather weak. 
Donald Chi 

Program manager, 
Gaithersburg, Md., 
donchi@ieee.org 


Apple’s RAID Entry 


HE ARTICLE “Invasion of 

the iSCSI Arrays” [QuickLink 
53298] seems incomplete in regard 
to pricing options. What responsible | 
iT manager wouldn't look at Apple's 
Xserve RAID technology? For the 
$47,000 that Jim Tarala spent, he 
could have purchased about 20TB 
of storage from Apple. It connects 


access it. It has a Java-based con- 


| figuration client that will run on Win- 


dows. For half of what he spent, 
Tarala could have purchased twice 


“standard” vendors are expensive 


| doesn't mean there aren't cheap yet 


reliable options. And who would 


| have thought that option would be 


0: 


Apple? 


Stu Duncan 
IS manager, Greenville, N.C. 
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Chilling Out With DC Power 


DC power-delivery systems allow server 
racks to run as much as 15% cooler 

than they would with AC power, and 

the reliability can’t be beat. Rising 
temperatures could push more data 
centers to make the switch. Page 23 


BIOMETRICS: 


After 9/11, public-sector interest in biometrics 
spiked, but standards and stringent scalability 
testing are still needed to trigger widespread 


corporate adoption. 


SECURITY MANAGER’S JOURNAL 


Protecting the 

Crown Jewels 

Mathias Thurman looks at various 
options for protecting one of his 
company’s most valuable assets — 
its source code. Page 24 
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Unconventional Innovation 

Dell CTO Kevin Kettler says the 
computer maker’s involvement in efforts 
to define emerging technologies such as 
PCI Express has helped better focus 
technology on customer needs. Page 22 


eople and passwords — 


in the long run, they just | 


don’t work very effec- 

tively together. At least 

that’s what Phil Fowler, 
vice president of IT at Telesis Com- 
munity Credit Union, a Chatsworth, 
Calif.-based financial services pro- 
vider that manages $1.2 billion in 
assets, found out. His team ran a net- 
work password cracker as part of an 
enterprise security audit last year to 
see if employees were adhering to 
Telesis’ password policies. They 
weren't. 

“Within 30 seconds, we had identi- 
fied probably 80% of people’s pass- 
words,” says Fowler, whose group 
immediately asked employees to 


create strong passwords that adhered | 


to the security requirements. A 
few days later, the team ran the 
password cracker again: This time, 
they cracked 70%. 

“We couldn’t get [employees] to 
maintain strong passwords, and 
those that did forgot them, so the 
help desk would have to reset them,” 
says Fowler. Telesis decided to se- 
cure network and application access 
with a biometric system that elimi- 
nated the need for user IDs and pass- 

words, opting for the Digi- 
talPersona fingerprint sys- 
tem from DigitalPersona Inc. in 
Redwood City, Calif. 
The use of biometrics — the 
mathematical analysis of charac- 
teristics such as fingerprints, 
veins in irises and retinas, and 
voice patterns — as a way 
to authenticate users’ iden- 
tities has been a topic of discussion 
for years. Early commercial success 
stories have largely come from apply- 
ing biometrics to projects with prov- 
able returns on investment: time and 
attendance, password reduction and 
reset, and physical access control. 
Though biometric work remains pri- 
marily in the pilot stages, the events 
of 9/11 pushed emerging commercial 
products to center stage — a spot 


| on that,” says C. 


some say they weren’t ready to claim. 
Vendor focus shifted from the private 
sector toward the huge contracts 
many expected would be awarded in 
the public sector, say observers. 

The attacks on 9/ll “brought focus 
to what was going on in biometrics, 


and [vendors] switched gears. Where 


previously they were thinking about 
[biometrics] for enterprise access, 
they decided government contracts 
were the next gold mine and jumped 
{axine Most, presi- 
dent of Acuity Market Intelligence in 
Boulder, Colo. 

The problem with this strategy, she 
says, is that commercial biometric 
systems aren’t standardized and 
haven't been tested in large-scale im- 
plementations of the type federal 
agencies are undertaking, such as the 
US-VISIT and Transportation Work- 
er Identification Credential projects. 

Samir Nanavati, a partner at Inter- 
national Biometric Group LLC, a con- 
sultancy in New York, says the prob- 
lem was more a lack of public-sector 
readiness than technology shortfalls. 

“In 2001, the private sector was ag- 
gressively researching and testing 
biometrics, and the public sector had 
a couple of projects,” Nanavati says. 
“After September, the biometrics in- 





| dustry reread the whole landscape 


and decided to gravitate toward the 
public sector, going after a market 
that wasn’t ready for them.” But, he 
adds, there are plenty of smaller 
stories of “biometrics hitting the bot- 
tom line” in the private sector. 


Finger on Access 

That has been the case for Telesis, 
which has rolled out fingerprint- 
based network and systems access 
technology in its headquarters and 
credit-union branches. Once Telesis 


| has thoroughly tested the system, the 
| company will deploy it in the offices 
| of Business Partners LLC, its busi- 


ness loan services partner. Users no 
longer need to remember IDs and 
passwords because DigitalPersona 
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authenticates enrolled personnel via 
fingerprint scanners, tying the finger- 
prints to 256-character passwords that 
it randomly generates every 45 days. 

Fowler says Telesis looked at a single 
sign-on application but was uncom- 
fortable with the idea that one authen- 
tication would provide access to the 
network and ail connected applica- 
tions. With the current deployment, 
employees touch their scanners to gain 
access to each application they use, in- 
cluding homegrown and third-party 
Web-based applications. 

The system is already integrated with 
Microsoft Corp.'s Active Directory for 
network access, and fingerprint pro- 
files are encrypted and stored directly 
in Active Directory, relieving worries 
Telesis had that they might be stored 
as images that could be compromised. 
Telesis’ IT department is reviewing 
applications that require ID and pass- 
word sign-ons and creating profiles for 
them in the DigitalPersona server. 

During the deployment’s testing 
phase, Fowler’s team encountered a 
few issues related to mobile workers. 
For corporate travelers, the company 
considered equipping laptops with 
scanners, but most Telesis executives 
don’t carry their laptops unless giving 
presentations; they prefer to use hotel 
business centers or Internet cafes to 
access the corporate intranet. When 
they do that, they use static but diffi- 
cult-to-crack passwords. 

Another segment of Telesis’ mobile 
population — “roaming” tellers — 
are another concern, says Fowler. He 
wants to be able to lock down all work- 
stations so that the Ctrl-Alt-Delete 
function won't bring up the user ID 
and password log-in option, but then 
roamers wouldn't be able to use the 
teller workstations they need. 

Although Fowler says it’s difficult to 
quantify ROI, Telesis is pleased with 
the streamlined network access, re- 
duced password-reset requests and the 
improved security ratings audits have 
found since it adopted DigitalPersona. 


Security or Convenience? 
The kind of biometric application Tele- 
sis is piloting — user authentication for 
access to computer systems — hasn’t 
thus far seen the adoption rates that 
many had expected, according to Gart- 
ner Inc. analyst Clare Hirst. She adds 
that she doesn’t expect to see many 
more such deployments before 2010. 
“We hear a lot about biometrics, but 
the reality is that most of the projects 
are still in pilot stages,” Hirst says. The 
most mature applications of biometric 
technology are in systems that control 





physical access to facilities and keep 


records of time and attendance, she 


says. “With time and attendance, com- 
panies can use finger-, hand- or facial- 
recognition technology; get rid of ac- 
cess cards and mechanical punch-in 
[devices]; and it’s not a security issue 
— it’s to save money,” Hirst says. 
Though it’s not using biometrics for 
actual system access, Washington- 
based Marriott International Inc. is 
using voice authentication technology 
to reset the passwords that enable ac- 
cess to its intranet, Active Directory 
service and several nonproprietary ap- 
plications, according to Al Sample, se- 


nior vice president of client services. 


The system, Vocent Password Reset 
from Vocent Solutions Inc. in Moun- 
tain View, Calif., complements existing 
reset options. Users can also change 
passwords using PC or Web-based 
tools, or they can call the help desk. 
Around a third of the 40,000 Marriott 
employees who are assigned passwords 
take advantage of the Vocent option. 

The system made sense, says Sam- 
ple, because it utilizes Marriott’s 
phone system and requires no special 
hardware. The Vocent application pro- 
vides two-factor authentication, check- 
ing a user’s voice patterns against a 
stored voiceprint while simultaneously 
verifying user information through 
voice recognition. 

“We capture a voiceprint through a 
one-time registration, and at the same 
time, we gather some key information 
that we use during the password-reset 
process,” says Sample. 

Given the costs of manual password 
resets — Gartner estimates that they 
cost $10 to $31 per incident — Marriott’s 
self-service deployment has translated 
into strong savings, says Sample, par- 
ticularly since IT requires that pass- 
words be changed every 90 days. 

“We have a very large [user] base, 
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with more than 30,000 associates, so 
you can imagine the amount of human 
intervention required for manual pass- 
word resets,” he says. 


Waiting for Standards 


The technology behind biometrics rep- 
resents an emerging commercial mar- 
ket, but adoption of such systems won’t 
really take off until vendors and users 
agree on standards in areas such as ap- 
plication programming interfaces, com- 
mon file formats and data interchange. 
The scope of massive federal initia- 
tives such as the U.S. Department of 
Defense’s Defense Biometric Identifi- 
cation System demands standardized, 
interoperable technologies, says David 
Wennergren, the U.S. Department of 
the Navy’s CIO. He is also chairman 
of the DOD’s Identity, Protection and 
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Management Senior Coordinating 
Group, which oversees agency groups 
working with smart cards, public-key 
infrastructure and biometrics. 

The DOD is using fingerprint bio- 
metrics as part of an authentication 
process for providing personnel and 
associates — 4 million people to date 
— with smart cards for physical and 
network access. It’s also piloting iris- 
and facial-recognition technologies. 

“It’s key that we have interoperable 
systems because everybody’s mobile; 
we can’t buy a proprietary biometrics 
[system] that ultimately only works at 
one base,” says Wennergren, who’s 
based in Crystal City, Va. He cites a re- 
cent memo issued by the DOD CIO that 
mandates that the agency’s biometric 
collection practices align with FBI stan- 
dards so the agencies can share data. 

“When [the DOD] first became big 
consumers of smart cards, we knew 
there weren’t perfect standards in 
place, but we were able to leverage our 
size and work with other agencies and 
technology providers to help create 
standards,” says Wennergren. He says 
he hopes that federal agencies will 
have the same impact in driving bio- 
metrics standards. @ 54024 


Gilhooly is a freelance writer in © 
Falmouth, Maine. You can reach her 
at kymg@maine.rr.com. 


For additional information on biometrics, go to: 
QuickLink 54132 
www. 
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DELL INC.’s success is usually chalked 
up to its marketing savvy rather than 
innovative technology. Chief Technol- 
ogy Officer Kevin Kettler says, however, 
that the company has played a pivotal 
role behind the scenes, helping to 
shape emerging technologies to meet 
customer needs. Kettler discussed 
Dell’s impact on technology in a recent 
interview with Computerworld’s 
Robert L. Mitchell. 


What role does R&D play at Dell? The mod- 
el we’ve chosen to pursue is to focus 
on customer-driven innovation. We 
have well over 4,000 engineers world- 
wide who are working on product de- 
velopment and research leading into 
product development. We think there’s 
a pretty strong investment there. 


To what extent does Dell influence the devel- 
opment of the core technologies that go into 
its products? One of the best-kept secrets 
around is what exactly our influence is 
in this area, and I consider it very ex- 
tensive. Dell has core teams that are 
working [with silicon designers] on 
where we think customer requirements 
are and where we think innovation 
needs to occur in basic silicon design. 

We are down at very low levels with 
chip set architectures, chip set parti- 
tioning, processor interfaces, proces- 
sor architectures. Right now, we have 
discussions going on on products we 
won't see produced until the 2009-2010 
time frame. We have a very regimented 
process and approach. We will typical- 
ly drive the requirements based on 
what we are generating from our direct 
customer touch. 


Can you give an example of how Dell has in- 
fluenced the development of a technology? 
The most recent example would be 
PCI Express. Dell was a very early 
adopter of the concept of needing to 
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move to a new, higher-speed bus inter- 
face for a lot of different reasons. We 
brought our expertise on how do you 
put that into a system, how do you do 
board layout, how do you ensure that 
EMI capabilities are not being exceed- 
ed, how do you ensure that cross talk is 
handled. That’s one that we've partici- 
pated in from its earliest infancy the 
whole way through to delivery of PCI 
Express capabilities literally through 
all of our product lines. 


What emerging technologies are you most 
excited about that are likely to appear in Dell 
products for enterprise users over the next 
12 to 24 months? One of those is the 
work we're doing around Blu-ray disk, 
[an] emerging standard for next-gener- 
ation optical disk drives. We’ve been 
working with a number of partners in 
defining the fundamental technology, 
what it is, how it’s going to operate. 
We're also excited about the delivery 


Chief tech- 
Teele NACL eel LL] 
vice president for 
Dell's product group 


Dell inc. 
in Round Rock, Texas 
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first working in development for the 
client architecture and technology 
group. Prior to joining Dell, he spent 
12 years at IBM's PC systems division. 
Kettler holds a doctoral degree in 
electrical engineering from Carnegie 
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of technologies in the multicore area 
around processors. Not just multicore 
processors but multicore coupled with 
some of the virtualization technologies 
and techniques. 


Why did you back Blu-ray and not the com- 
peting HD-DVD standard? When you look 
at the capacity of the drives, Blu-ray 
provides significantly more headroom 
than what HD-DVD does. We consider 
Blu-ray a pretty major change, and we 
wanted to make sure we had a technol- 
ogy that was going to have some lon- 
gevity around it, especially given the 
investment in transitioning customers 
to a new format for all of their content. 


What synergies do you see between multi- 
core processors and virtualization? Multi- 


| core is putting multiple processors on 


a single die to create a single footprint. 
Today, we think of virtualization as a 
single box with virtualization software 
that gives the impression of that box 
serving multiple operating environ- 
ments. With multicores, if I partition 
up my system using virtualization soft- 
ware, I can start to dedicate cores to 
different environments. So it expands 
the scope of traditional virtualization 
technologies. 


Where has Dell led the market in adopting 
new technologies? We have historically 
been the absolute leader in delivering 
new memory technology to the mar- 
ketplace. Other technologies have been 
more unique. If you look at our note- 
book products, for example, we’ve put 
together some pretty novel approaches 
for handling hard-drive protection that 
we call StrikeZone. It’s a mechanism 
that protects [the disk drive] when you 
drop a notebook. Other things, like our 
battery technologies, and particularly 
our charging techniques, are things we 
created, developed, designed and de- 
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livered to the marketplace. 


To what extent does Dell help design the 
specifications surrounding the emerging 
standards it supports? There’s an amount 
of the architecture definition around 
PCI Express that was created by Dell 
engineers. Another example is a speci- 
fication called Disk Data Format 
([DDF]. One of the people on my team 
wrote that specification and brought it 
forward to the Storage Networking In- 
dustry Association. 

DDF is in response to customer 
feedback. A customer would build out 
a Dell server or external storage array 
and might have a set of disk drives 
with their company’s data on those 
drives. [Then] they might migrate to a 
different machine. What was at issue 
was that each of the five controller 
manufacturers was using proprietary 
formats to lay out the data and tables 
associated with the formatting on the 
drive. So [Dell technology strategist] 
Bill Dawkins heard this and went off 
and wrote a specification on how that 
architecture should fit together and 
has driven it through a standards body. 
It’s been accepted, and we're starting 
to see silicon from some companies. 

At the end of the day, when cus- 
tomers plug and play drives, they 
won't run into the potential for that 
data to be unrecognized and misinter- 
preted as a blank drive and formatted 
over. So it’s a huge win. It’s direct, 
customer-driven innovation. 


Where do you see technology moving in the 
next three years? One of the key shifts 
that is occurring is that with the addi- 
tion of blades and the need to manage 
blades, it’s produced a razor focus at 
Dell around the systems management 
infrastructure and how do we move 
from a systems management infra- 
structure that has traditionally been 
very proprietary, very monolithic in 
nature to something that is going to 
provide greater flexibility to manage 
... across this mass of distributed re- 
sources that exist out there. We have a 
vision and approach that we think will 
move the ease at which the enterprise 
can be managed, deployed and ser- 
viced going forward. 

What I’ve described has been a de- 
sire for customers, but the industry 
hasn’t been rallied around it. That’s the 
key thing that’s happening right now. 
We're doing a lot of work getting peo- 
ple excited about plugging into an open 
infrastructure like that, and that’s 
going to lead to a ton of innovation. 
Ultimately, if we do our job well, 
customers will benefit. @ 54006 
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centers to make the 
switch to direct current 
power-delivery systems. 


S VENDORS CONTINUE | vironment and I have to pay to 


to pack more servers 

into a smaller foot- 

print, keeping a lid 
on power requirements — and 
keeping server racks cool — 
has become a huge challenge. 
And the lowly AC power sup- 
ply remains the toughest part 
of the problem to solve. 

A typical power supply, 
which converts AC power into 
the various DC voltages re- 
quired by indi- 
vidual server 
components, 
has an efficien- 
cy range of just 
65% to 85%, vendors say. Just 
one 1-kilowatt power supply 
may generate 300 watts of 
waste heat, and today’s blade 
servers can consume more 
than 14 kilowatts per rack. 

“That’s bad,” says Scott 
Tease, product marketing 
manager for eServer Blade- 
Center at IBM. “One, I paid for 
that electricity, and two, I’ve 
released the heat into the en- 
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air-condition it.” 

To make matters worse, AC 
power-supply efficiency drops 
with the utilization level. In 
servers with redundant power 
supplies, where the load is 
shared, best-case utilization lev- 
els are below 50%. As a result, 
power supplies in most servers 
tend to operate at the low end 
of the efficiency range, says Ken 
Baker, data center infrastruc- 
ture technolo- 

gist at Hewlett- 

Packard Co. 

Some data 

center man- 
agers have responded by using 
DC-based power distribution 
systems, eliminating the need 
for AC power supplies for 
server racks. IBM and HP both 
offer servers that can accept 
bulk DC power from a central- 
ized, telecommunications- 
grade -48-volt DC power dis- 
tribution unit (PDU) and then 
step it down to the voltages 
required at the server level. 





__ TECHNOLOGY — 


Rackable Systems Inc.’s 
products support both bulk 
power and an option that 
moves the AC/DC converter 


| away from individual servers 
| to the top of each rack, where 
| heat can be vented into the 


air-handling system. 
Milpitas, Calif.-based Rack- 


| able claims that its DC-pow- 


ered servers reduce heat by up 


| to 30%. HP makes more mod- 
| est claims of 15% reduction, 

| which can add up across many 
| racks of servers, Baker says. 


Data393 Holdings LLC has 
made the leap to DC-powered 
servers. The company, which 
operates a collocation center 


| in Englewood, Colo., uses a 
| DC power distribution system 


inherited from a previous ten- 
ant to power 140 servers from 


| Rackable. Data393’s DC power 


plant includes rectifiers that 
convert incoming AC power 
to DC and charge a bank of 
uninterruptible power supply 
batteries as well as its servers 


and network equipment. 


Chris Leebelt, senior vice 
president at Data393, says the 


| IT services provider chose 


DC-powered equipment be- 
cause it needed to make the 
most of its available square 

footage and its ability to cool 


| that space. While the power 


distribution system must still 
convert incoming power to 
DC, that conversion occurs 
outside the data center. 
DC-powered systems from 


traditional AC-powered servers 


| while allowing more servers in 


each rack, according to Leebelt. 
DC rectifiers also have a 
mean time between failures 
of 7 million hours — 70 times 
longer than AC power sup- 
plies, says Geoffrey Noer, 


| senior director of product 
marketing at Rackable. 


“Some of our largest cus- 
tomers host almost exclusively 


F . ” 
in DC-related environments, 

| says Baker. But he also points 
out that most are telecommu- 


nications companies and host- 
ed service providers. “The 
number is very small in corpo- 
rate data centers,” he says. 

So why don’t more enterprise 
data centers use DC PDUs? 

Tease claims that the rela- 
tionship between utilization 


| DC power are 93% efficient. 
| “Unless the infrastructure is 


| AC are well established and 


| ized talent to manage [DC] 





To DC or 
Not to DC? 


PROS: 


A DC power distribu- 
tion system moves the 
inefficient and heat- 
generating AC/DC 
conversion process out 
of server racks. Cooler 
racks support higher 
server densities, sav- 
ing floor space. 


DC systems are 
more reliable than AC 
power supplies. 


Batteries used in DC 
designs provide a 
source of uninterrupt- 
ible power. 

Most networking 
equipment already 
supports DC power. 
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too expensive and complex, 
requiring specialized contrac- 
tors and design,” he says. 

But Baker and Rackable’s 
Noer say the costs overall are 
about the same. 

Baker says the adoption of 
DC as an alternative power 
source could become a trend, 
particularly in new data cen 
ters where such infrastructure 
choices are being made. “We 
have customers that have cho- 
sen native DC from the ground 
up,” he says. But Baker adds 
that the lion’s share of enter- 


prise data centers will contin- 
| ue to center around AC power. 


Meanwhile, IBM is focusing 
its power-saving efforts on ar- 
eas such as the CPU, which 


| accounts for 25% of the power 
| budget in a BladeCenter, Tease 


says. IBM offers a 2.8-GHz 
Xeon DP processor that adds 
$200 to the cost of a dual- 


| processor blade but cuts pow- 


| er from 103 watts to 55 watts. 


CONS: 


A DC power distribu- 
tion system is an 
added expense. 


DC requires bigger 
power distribution 
cables than AC power 
does. 


Management of DC 
systems requires spe- 
cialized expertise. 


| and efficiency issues is over- 

| stated, and IBM’s BladeCenter 
| power supply designs are 90% 
| Rackable cost about the same as | 


efficient. In contrast, the con- 
verters required to step down 


already in place, it just doesn’t 


| make sense,” he says. 


Baker says inertia and famil- 


| iarity keep data centers on AC 


power, and the standards for 
understood. “It takes special- 


correctly,” he says. 
And because DC power has 


| more resistance, the distribu- 


tion system requires larger con- 
ductors. Neil Rasmussen, chief 
technical officer at American 
Power Conversion Corp., an 
UPS and data center rack sys- 
tem manufacturer in West | 
Kingston, R.L,saysthatadds | 
to infrastructure costs. “DC | 
wiring at these power levels is | 


Noer claims that ultimately, 
the combination of low-voltage 
parts and DC power will have 
the biggest payoff: It can cut 
power requirements by half. 

Rasmussen isn’t convinced. 


| “If you need to cut the load 
| 15%, just pull out 15% of the 
| servers and put them some- 
| where else,” he says. 


But for Data393, floor space 
is limited. DC power has en- 
abled Leebelt to fill server 
racks that would otherwise run 


| too hot for his air-handling 
| systems. “{Vendors] don’t tell 


you that you can’t load a full 


| rack of blades because the heat 


coming off the racks can be 


| very significant,” he says. 


DC power by itself can’t 


solve the problem of increas- 


ing power density in server 
racks. But the option has pro- 


| vided enough relief to con- 


vince Leebelt to migrate Data- 


| 393’s remaining 600 servers. 


“We're doing consolidation 
work to get out of AC hard- 
ware,” he says. @ 53969 


MULTIPLE OPTIONS 


| One vendor's product offers the option of 


using either AC or DC power 


| QuickLink 53971 


| explanation of DC power delivery, see 


e QuickLink 54197 
www.computerworid.com 
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Our security manager explores the options 
for securing a valuable asset - the com- 
pany’s source code. By Mathias Thurman 


OU WOULD probably 

imagine that a company 

that writes and sells 

software would make 
the protection of that software 
paramount. That’s why it’s 
hard to believe that my com- 
pany has implemented no 
comprehensive efforts to pro- 
tect its bread-and-butter soft- 
ware from falling into 
the wrong hands. 

Fortunately, upper SE 
management is finally 
getting a clue and has 
asked that we look 
into the technologies 
currently available for 
protecting our source code. 

The need to do something is 
more pressing than ever. It’s 
become trivial to find a place 
to store a gigabyte of source 
code (a good portion of our 
current software inventory), 
what with the availability of 
low-cost USB tokens, external 
hard drives and increased disk 
space on public e-mail reposi- 
tories such as Yahoo and 
Google. Left unprotected, our 
source code could be moved 
off-site in less than 10 minutes. 

And if clever programmers 
took the code, they could re- 
brand, reverse-engineer or 
replicate it and sell it for profit 
within a matter of days. If you 
think I’m exaggerating, recall 
that more than 800MB of 
source code from Cisco Sys- 
tems Inc.’s Internetworking 
Operating System was posted 
to a Russian Web site a year 
ago [QuickLink a5770]. 

Our programmers use the 
open-source Concurrent Ver- 
sions System to save and re- 
trieve various versions of 
source code. CVS also lets 


CURITY 
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teams of developers share 
control of different versions of 
files (source code) in a com- 
mon repository. The problem 
is that once a developer 
checks out source code from 
the repository, there are no 
controls to prevent him from 
copying, moving or transfer- 
ring the code to a storage de- 
vice or an FTP site. 
As much as we'd like 
to trust our pro- 
grammers, it’s al- 
ways possible that 
money or coercion 
could get someone 
to take advantage of 
the lack of controls. And even 
if that didn’t happen, a worm 
or other type of malicious 
code could be introduced to 
our internal network, compro- 
mise a user’s desktop and give 
an outsider access to locally 
stored source code. I could go 
on for hours discussing the 
methods and motivations for 
stealing source code. 
Fortunately, there are some 
fairly significant developments 
in the source-code protection 
market. One is software that 
gets installed on the develop- 
er’s desktop and then inserts 
itself into the operating system 
in such a way that it prevents 


No matter what 
approach we end up 
using, a major 
consideration will be 
the user experience. 





defined data from being 
copied, printed or transferred 
anywhere other than the 
source-code repository or a 
dedicated build server. What’s 
nice about this type of tech- 
nology is its ability to define 
which directories and files this 
protection should be applied 
to. That means that when de- 
velopers checked out source 
code, they would be forced to 
maintain that code in a certain 
directory, from which they 
would be barred from copying, 
printing or transferring. How- 
ever, they would be free to 
copy, print or otherwise ma- 
nipulate other business-relat- 
ed data such as e-mail or other 
documents, which would be 
available in a different, nonre- 
stricted directory. Some of the 
software in this market will 
also encrypt the defined data. 


Looking at Products 
Microsoft Corp. and Adobe 
Systems Inc. both have robust 
offerings in this market, but 
they seem to be product-cen- 
tric. We need something that 
is product-agnostic, that can 
be used with data that origi- 
nates from any company’s 
product. One vendor that 
seems to have really good po- 
tential is Santa Clara, Calif.- 


based Vormetric Inc. Its Core- 


Guard product seems to ad- 
dress all of our needs. It al- 
lows encryption, access con- 
trol, integrity protection, 
alerting and reporting, and 
most important, it can be con- 
figured to be transparent to 
the user, letting the developers 
conduct business as usual. 
Another interesting tech- 
nology monitors network traf- 
fic for source code in the data 
stream. An example of this is 
a product from San Mateo, 
Calif.-based Tablus Inc. that 
crawls through your source- 





| code repositories and uses 

| special technology to analyze 
| the data. Then, working in 
way that’s similar to what in- 
| trusion-detection software 

| does, it monitors the network 


and watches the data stream 
for the “fingerprint” of the 


| source code it has inspected. 


No matter what approach 


| we end up using, a major con- 


sideration will be the user ex- 
perience. We'll have to doa 
considerable amount of test- 
ing to ensure that we don’t im- 
pact a developer’s ability to do 
his job. In our company, devel- 
opers are treated like kings, 
since they write the software 
that brings in the big bucks. If 
a developer’s ability to work is 
impeded, that in turn could af- 
fect the product life cycle, 
which could hurt our ability to 
generate revenue. 

Because developer work- 
flow is such a high priority, 
the more passive option — the 
network approach — has mer- 
it. However, it won’t prevent 
users from copying data to a 
local storage medium such as 
a CD-ROM or USB thumb 
drive. Perhaps the best way to 
secure our data would be a 
two-pronged approach in 
which we both protected the 
desktop and monitored the 
network. But all of that activi- 
ty would have to be managed, 
and we’re short-staffed as it is. 

We'll probably start asking 
some of these vendors to 


| come in and demonstrate their 


products, and then we'll start 
testing the products. At the 
end of the day, we hope to 
come up with an approach 
that satisfies our information 
security needs while still leav- 
ing our developers free to do 
their jobs. And if it works out 
well, we should be able to ex- 


| tend the technology we select 


to other departments such as 
legal, human resources and 
strategic planning. D 


WHAT DO YOU THINK? 


| This week's journal is written by a real securi- 


ty manager, “Mathias Thurman,” whose 
name and employer have been disguised for 
obvious reasons. Contact him at mathias_ 
thurman@yahoo.com, or join the discussion 
in our forum: QuickLink a1590 


To find a complete archive of our 
Security Manager's Journals, go online to: 


| @computerworld.com/secjournal 
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Security Bookshelf 
@ Aggressive Network Self- 
defense, by Neil R. Wyler (edi- 
tor), et al. (Syngress 
Publishing, 2005). 
This book is 
ble technical ap- 
proaches to all ar- 
eas of information 
security, as well as 
interesting scenar- 
ios and references to 
some of the newest tools and 
technologies. Since | like wire- 
less security, | really enjoyed 
the description of a common 
wireless hacking scenario. 
And be sure to check out 
Chapter 4, in which a key- 
stroke-capturing program is 
used to compromise a VPN 
connection to hack into a 
pharmaceutical company. 
This is a must for every securi- 
ty practitioner’s library. 

~ Mathias Thurman 


Alcatel Offers 
Quarantine App 


Alcatel announced its Omni- 
Vista 2770 Quarantine Man- 
ager for the Alcatel Omni- 
Switch product line. The tool, 
which works with intrusion- 
detection and -prevention 
systems from third parties, is 
designed to detect attackers 
and stop them by quarantining 
them in a virtual LAN where 
they can’t get access to the 
network. It’s also designed to 
ban them from reconnecting 
to the network even if they try 
to access it from a different 
location. 


Lower-Cost VPN 
Gateway on Tap 


AEP Networks Inc. introduced 
the Netilla Secure Gateway 
Appliance Tunnel, a compact, 
preconfigured VPN gateway 
that, at $2,495 for 25 concur- 
rent users, is designed to low- 
er the cost of entry for SSL- 
encrypted application access. 
The product delivers high- 
speed performance while 
providing secure access to 
an array of Windows applica- 
tions, according to AEP. 


Aggressive 
Network 
Self-Defense 





THIS NETWORK IS 


ALERT, VIGILANT. 
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Find the tools and guidance you need for a well-guarded network 


at microsoft.com/security/IT 


Microsoft Windows XP Service Pack 2: Download it for 
free and get stronger system control and proactive protection 


against security threats 


Free Tools & Updates: Download free software like Microsoft 
Baseline Security Analyzer to verify that your systems are 
configured to maximize security. Manage software updates 
easily with Windows Server Update Services 


Microsoft Risk Assessment Tool: Complete this free, Web-based 
self-assessment to help you evaluate your organizatiofs security 
practices and identify areas for improvement 


MyClass aire areas waco (elec e cars ee ena eree, 
the free 120-day trial version to evaluate how the advanced 
application-layer firewall, VPN and Web cache solution can 


improve network security and performance 
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ScanSoft Releases 
New PDF Software 


® ScanSoft Inc. in Peabody, 
Mass., has released a new appli- 
cation that creates, converts, fills 
and edits Portable Document For- 
mat files. ScanSoft PDF Convert- 
er Professional 3.0 allows users 
to create PDF files from any PC 
application, provides support for 
security and encryption, and in- 
cludes features such as sticky 
notes and highlighting tools, the 
company said. The FormTyper 
feature makes it possible to fill out 
any PDF form with a single click, 
while the PDF Converter turns 
existing PDF files into fully for- 
matted Microsoft Word, Corel 
WordPerfect or Microsoft Excel 
documents. Pricing starts at $99 
per user. 


DataFlux Unveils 
Data Quality Tool 


® DataFlux Corp., a subsidiary of 
SAS Institute Inc. in Cary, N.C., 
last week announced the newest 
version of its data quality integra- 
tion suite. Version 7.0 of the 


DataFlux Data Quality Integration | 


Solution allows companies to en- 
force business rules like address 
standardization, product code 
classification or identity matching 
to applications and databases 
that house customer, product, 
supply chain or finance data, ac- 
cording to DataFlux. The new 
platform includes a GUI-based 
design infrastructure that allows 
business and IT users to build 
processes to inspect, correct, in- 
tegrate and enhance data. Pricing 
starts at $75,000. 


Brocade Buys 10% 
Of Tacit Networks 

@ Brocade Communications Sys- 
tems Inc. in San Jose announced 
last week that it is buying a 10% 
share of Tacit Networks Inc. for 
$7.5 million. Brocade plans to 
sell South Plainfield, N.J.-based 
Tacit’s iShared wide-area file- 
sharing software and may even- 
tually integrate the product into 
its own storage switch. 
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Looking Beyond 
‘The Big Three 


F YOU WANT TO understand your technology 
strategy options, my usual advice is that you 
should study Microsoft, Oracle and IBM. There’s 
hardly a software product category in which at 
least one of them isn’t a market leader and mar- 


keting trendsetter. Enter- 
prise applications, personal 
applications, operating sys- 
tems, app servers, network 
management, security, ana- 
lytics, app development, 
nontabular data types, 
search, speech recognition 
— you name it and they’re 
there. And, of course, in 
database management, they 
pretty much have divided 
the whole market up 
among themselves. , 
But despite the overwhelming mar- 
ket power of the Big Three, a few other 
database management systems vendors 
are still standing, and there are things 
to be learned from them, too. An inter- 
esting matched pair of such companies 
is Progress Software Corp. and Inter- 
Systems Corp., two of the last remain- 
ing major independent software ven- 
dors in the Boston area. Both started as 
fourth-generation language (4GL) ven- 
dors but soon added matching DBMSs, 
which, at least nominally, provide the 
bulk of their revenues. Both sell pri- 
marily through indirect channels but 
derive a large minority of their rev- 
enues from direct enterprise sales. 
Both seem to have decided that object- 
oriented database and middleware 
technology is the wave of the future. 
And that’s where the similarities end. 
InterSystems is the smaller and less 
established of the two. But it’s also the 
more interesting company right now, 
thanks to an unusual DBMS architec- 
ture. InterSystems’ Cache database 
manager has a fundamentally object- 
oriented design. That is, the native 
DML/DDL (Data Manipulation/ 





Description Language) is 
emphatically object-orient- 
ed, and the access methods 
are optimized for the stor- 
age and retrieval of entire 
objects. This language is a 
proprietary outgrowth of 
the Mumps standard 
(Massachusetts General 
Hospital Utility Multi- 
Programming System), a 
health-care-oriented 4GL. 
Naturally, Java and XML are 
supported as well. In addi- 
tion, there is a reasonably versatile and 
effective SQL overlay. 

InterSystems would have you believe 
that the net effect is blazing perfor- 
mance in major applications, not a lot 
of performance penalty in add-on ap- 
plications, all the programming bene- 
fits of object orientation and only some 
of the drawbacks of having business 
logic and data structure intertwined. 

A look at InterSystems’ user base sug- 
gests there’s some truth to these claims. 
Transactional systems in areas such as 
trading floors and telephony billing 
support the performance claims. The 
Cache partner catalog does imply that 
the heart of the business is specialized 
apps in areas such as patient records — 
but a few complete back-office suites 
suggest that the relational features 
work at least somewhat as advertised. 

To understand what's going on under 
the covers of Cache, recall that the real 
action in a DBMS usually takes place in 
the indexing system. Like any other ob- 
ject-oriented DBMS, Cache essentially 
accesses data via a tree structure that 
mimics the object hierarchy. In the case 
of Cache, the index is just as object- 








oriented as — and indeed stored in the 
same way as — the data itself. The tree 
structure, in turn, is implemented via 
highly multidimensional (and very 
sparse) arrays with lots of possible sub- 
scripts. The whole thing is navigated 
via relational-like b-trees, which Inter- 
Systems insists are rigorously self- 
rebalancing. And Cache is particularly 
fast at updating bit-mapped column in- 
dices, a nice boost to SQL performance 
for some complex queries. 

Should you use Cache instead of 
Oracle or DB2? Probably only if a huge 
performance advantage can be proved 
for a particular application. But is 
Cache a harbinger of future directions 
from the big DBMS vendors? Quite 
possibly. True object orientation and 
complex XML are each awkward to 
support in classical relational struc- 
tures, and both Oracle and IBM show 
refreshing willingness to go beyond 
classical relational dogma. 

Progress’ story can be construed to 
somewhat corroborate that of Inter- 
Systems. Its main business is actually 
based on a much more conventional re- 
lational DBMS and 4GL. Although ma- 
ture, that segment remains fully com- 
petitive, and Progress is vying with 
Oracle and Microsoft for “embedded” 
DBMS market leadership. Credit for 
this goes to Progress’ historical focus 
on indirect sales and to some historical 
product advantages, such as a no-DBA 
RDBMS and what was once the best 
4GL available. But even so, Progress’ 
core techies now think the future is in 
object-oriented DBMSs (and associated 
middleware) as well. And while they 
flirted with pushing XML over object 
orientation as the post-SQL DBMS par- 
adigm, like InterSystems they now es- 
pouse object orientation as the data ar- 
chitecture wave of the future. @ 54172 
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You can get more out of your technology investment by making sure employees have access 
whenever they need it. No downtime. No waiting for answers. Now Sprint makes it easy for you to 
keep t connected. As the first major provider of end-to-end managed wireless service, we bring 
you the benefits of a mobile network without the headaches and hassles of running it. We integrate, 
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sit Sprint.com/beautiful for case studies or call 877-777-5568 > Wireless. Data. Voice. IP 


©2005 Sprint. All rights reserved. Sprint and the diamond logo are trademarks of Sprint Communications Company L.P. 


> With Sprint, wireless is beautiful. 









NOW YOU HAVE TIME 
Uebel oe 


DELL OPENMANAGE"/ALTIRIS 
MANAGEMENT SUITE for DELL SERVERS 





Speedy server deployment. Just one console. 


Now, Dell” PowerEdge” administrators only need one console to 4 
deploy, manage, monitor, patch and update software and hardware for m oe : 
Microsoft® Windows® and Red Hat® Linux® environments. With all f 
those features fully integrated, Dell OpenManage with Altiris \ ¢ 
Management Suite for Dell Servers helps get systems up 


and running fast, saving IT time and resources. 


Take some time to see for yourself. 


Visit dell.com/altiris3 today for a demonstration and whitepaper. fo 
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Lurking Liabilities 

In Security Law 

Some laws and regulations get all 
the attention, but others that might 
fall outside your radar are just as 
important. Here are five legal issues 
to watch out for in the realm of 
information security. Page 31 


BOUT 25 YEARS AGO, 
Robert Rosen and 
his bosses were 
engaged in “big 
debates” about IT 
staffing levels at the 
federal agency at 
which he was work- 
ing. To find an- 
swers, he sought 
comparative num- 
bers from other organizations that 
were running similar systems. 

Rosen had already been a member 
of the Share user group for about a 
decade, so he didn’t have to look too far 
to find what he needed. Fellow mem- 
bers supplied him with the data. He as- 
sembled a full report and sent it along 
to management. “That helped me sig- 
nificantly,” says Rosen, now a CIO in 
the federal government. “That kind of 
made my reputation as [someone who 
can] get outside our little focus area” 
and come up with other perspectives. 

That, many say, is the most important 
of several benefits user groups provide 
IT professionals and — by extension — 
their organizations. Others include net- 
working with various IT professionals, 
getting the lowdown on the latest ven- 
dor releases and influencing vendor of- 
ferings through feedback on products. 

User groups are increasingly valuable 
today as some vendors target other 
companies for merger or acquisition. 
“Vendor consolidation, such as Oracle 
Corp.’s acquisition of PeopleSoft, has 
[required] IT professionals to look to 
user groups for information,” says Foad 
Fadaghi, research director in the tech- 
nology practice at Frost & Sullivan Ltd., 
a global business consulting firm. 

“IT professionals can use their user 
groups to understand what others are 
doing in the face of consolidation,” says 
Fadaghi, noting that information about 
how peers are dealing with migration, 
account management and integration 
issues “can empower the buyer.” 

Groups also advocate for users dur- 
ing a takeover by “kind of waving the 
flag, saying ‘Don’t forget about us!’ ” 


Q&A 

The End of Corporate IT 
Love him or loathe him, 
you'll want to read what 
Nicholas Carr has to say 
about the (short) future of 
your in-house IT group. 


Page 32 


says Julie Silverstein, chief operating | 
officer at SmithBucklin Corp. in Chica- | 
go. SmithBucklin provides manage- 
ment and professional services to 
about 20 user groups, including En- 
compass, Share, the Americas’ SAP 
Users’ Group and InSight. 

And, as the Quest International 
| Users Group discovered earlier this 
year, vendors listen. Quest focuses on 
PeopleSoft World and J.D. Ed- 
wards’ Enterprise One soft- 
ware, and since Oracle bought 
PeopleSoft in January, “there 
has been a lot of interest [from 
Oracle] in what customers think,” 
says Quest President Fred 
Pond. Pond is also director 
of information services at 
Schnitzer Steel Industries 
Inc. in Portland, Ore. 

Fadaghi says an IT profes- 
sional who is looking to join a 
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OPINION 


Management Controls: 

A Lost Art 

Good management controls are the 
basic blocking and tackling of IT, says 
Bart Perkins. Letting controls at your 
company grow lax can set you up for 
embarrassment and failure. Page 36 


IT pros say user groups can offer new perspectives and big 
paybacks for your organization and your career. By Rick Sala 


5roade 


View 





30 COMPUTERWORLD May 9, 2005 


iiate tle) Are 8) fczsis) 
emma a clce lich Uy 
1 Six of them 


A IF LEs) 


Focus area: {BM products for IT profession 
als. Originally focused on mainframe 
gramming but has ev 

ich as AIX, Linux, applic 
ment, security, integratior 
Founded: 
Serle 
EV madi) 
VT Yat 


www.share.org 


pvitag ees 
Users’ Group (AS 


mint ce 1¢:y- ee): amomelalt 
' rene) 
Founded: 1991 
Members: 45 ,00( 
Major event: ASUG 


and management 


jual Conference & 


www.asug.com 


InSight 
Focus area: M 


t Ith 


Jding hospital 


Member 
ET elma) ‘ 
www. insight-net.org 
Encompass 
Focus area: Hé 


Founded: 

Members: Mor 

LEN men (El 
ACHR Uma ge 


International Oracle 
Users Group (IOUG) 


Renee 1¢-y- Bae it 
Founded: 19° 
tale essa 

Major event: |( 
www. ioug.org 


Quest International 


Users Group 
aint oe ct 


Founded: 
Members: Mor 


Major event: Q 
www.questdirect.org 


tt-Packard technologies 


user group should determine the value 
he can derive from it. Things to look 
for include independent speakers at 
events, high levels of member partici- 
pation and testimonials from peers. 

Here’s a look at four representative 
user groups: 


A Hewlett-Packard Co. user 
group, Encompass is no 
stranger to mergers, having 
lived through HP’s purchase 
‘ ~. of Compaq in 2002 and, four 
years earlier, Compaq’s acquisition of 
Digital Equipment Corp. (Encompass 
was formed in 1961 as DECUS, a user 
group for Digital products.) Many of its 
more than 10,000 members come from 
the technical side of IT, though many 
are influential enough in their organi- 
zations that they report to the IT direc- 
tor or the CIO, says Kristi Browder, di- 
rector of IT at Silicon Laboratories Inc. 
in Austin and Encompass’ president. 

Like most user groups, Encompass 
sponsors annual events and local chap- 
ter meetings where members can ex- 
change IT knowledge, Browder says. 

It has also started using the Web as a 
vehicle to enhance interaction. For ex- 
ample, Encompass hosts a monthly we- 
beast on a chosen issue (a recent topic: 
concepts in storage-area network de- 
sign) and touts four special interest 
groups — focusing on enterprise Unix, 
OpenVMS, enterprise storage and Lin- 
ux — in which users can learn more 
about HP technologies and help one 
another solve problems. 


Shar e 

In 1955, two years after 

IBM released its first 

computer, Share became 

the world’s first user 

group. Its member list of 
more than 2,000 organizations in- 
cludes most of the Fortune 500, along 
with universities and colleges and fed- 
eral, state and local government orga- 
nizations. Each of the group’s semi- 
annual conferences offers five to seven 
sessions daily, and the information 
sharing continues into the evenings at 
social events, Rosen says. 

Over the years, he has heard stories 
of how Share conferences have helped 
solve members’ problems or boosted 
careers. Rosen tells of a member who 
came to a conference despite a costly 
technical problem she was facing at 
the office that would probably take 
two to three months to solve. After 
taking in a session, she sought out the 
speaker, who wrote down a few lines 
of code that saved her company more 
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than $100,000 in code modification. 
“It’s the little things that are really the 
big payoffs,” Rosen says. 


i 
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Fifteen years ago, German 
software maker SAP AG 
trained its sights on the 
a Western Hemisphere for 
its ERP products. At SAP’s annual 
| conference, a group of U.S. attendees 
| decided to form a users’ group, some- 
| thing the organizers and the vendor 
| felt would help SAP’s efforts, accord- 
ing to the group’s current president, 
Karen Chirico, who is also manager of 
Honeywell Corp.’s Aerospace Financial 
Center of Excellence in Phoenix. 

The group and SAP agreed that they 
needed to band together. SAP wanted 
to learn how business works in the U.S., 
Chirico says. On the user side, she 
adds, “the Americas had absolutely no 
concept of what an ERP system was.” 

Today, ASUG has more than 30,000 
members, covering about three quarters 
of SAP Americas’ customer base. The 
annual spring conference provides op- 
portunities for face-to-face interaction, 
and there’s also a Web-based member 
network in which a member with a prob- 
lem can outline it in hopes of finding an- 
other member who can help him solve it. 


As health care organiza- 

tions deal with issues of 

cost control, managed 

care and patient privacy, 

3 they lean more heavily 

on technology. That’s where a group 
such as InSight can play a key role, ac- 
cording to Cyndi Jones, InSight’s presi- 
dent and CIO at St. Luke’s Health Net- 
work in Bethlehem, Pa. “In this envi- 
ronment, where there’s so much [going 
on in IT], the value of this user group 
is that you can really optimize the 
products faster,” she says. 

InSight represents customers of 
McKesson Provider Technologies, a 
subsidiary of health care IT vendor 
McKesson Corp. Membership has 
increased 10% to 15% in the past two 
years as a result of increased industry 
investment in IT, according to Jones. 
Despite the group’s independence, 
McKesson’s involvement has been 
“very intense and very collaborative,” 
as well as quite supportive, providing 
money for various functions and speak- 
ers for group events, Jones says. 

InSight holds an annual conference 
and trade show that draws about 3,500 
to 4,000 attendees and is growing each 
year. It also provides members with an 
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opportunity to become involved with 
committees and projects. In addition, 
members take an active role in moni- 
toring online discussion boards on the 
group’s Web site. 


User Group/Vendor Tango 
There was a time when user groups 
and IT vendors had testy relationships, 
SmithBucklin’s Silverstein says. But to- 
day, both sides realize that they need 
each other. And while organizations 
that pay for employees’ user group 
memberships expect a return on that 
investment, “vendors today want an 
ROI too,” Silverstein says. 

Vendors see user groups not just as 
sales vehicles, but also as feedback 
mechanisms, she explains. The vendors 
provide speakers for group events and 
attend trade shows, looking beyond 
sales and marketing opportunities for 
focused feedback on products. 

User groups are “a big part of our 
investment each year,” says David 
Parsons, vice president of Americas 
enterprise marketing at HP. The four 
groups HP works with are “invaluable 
constituent communities” that provide 
a broad range of perspectives and 
ideas, so “we want to preserve and 
protect that,” he says. 

For users, regular, face-to-face meet- 
ings, ongoing forums and Internet 
bulletin boards are all useful, says 
Fadaghi at Frost & Sullivan. And in the 
future, he says, “more of these meet- 
ings will be global and facilitated 
through videoconferencing, webinars 
and chat rooms.” 

Regardless of the vehicle, members 
cite the personal interaction in helping 
solve a work-related problem that you 
can’t get from a book and might not get 
from a class costing hundreds of dol- 
lars more. “The most important return 
on investment is your ability to help 
the company,” says Silverstein. “The 
payback has got to be in your job. If 
you work for a corporation, the things 
that you learn are just tremendous.” 

Your organization expects you to 
know the technology, Share’s Rosen 
adds. So calling on a peer network that 
comes from a user group can help keep 
the organization humming, keep you 
employed and possibly help advance 
your career. These, he says, “are the 
really big payoffs.” @ 59380 





Saia is a business technology writer and 
editor in Shrewsbury, Mass. 
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IN SECURITY 
LAW [overs] 


Five newlegalissues in secu ie 
cause trouble for the unwary ClO 


Ci0s HAVE A NEW NAME TO KNOW: 
And if they don’t, they 
could be heading for trouble. 


Zubulake is shorthand for the case of 


Zubulake v. UBS Warburg LLC, which 
was heard recently in a federal court in 
New York. The court’s decisions in 
that case established new standards for 
retaining electronic data. 

“The courts are increasingly de- 
pending on companies and their 
lawyers to produce electronic evi- 
dence and to make sure it’s not de- 
stroyed,” says Adam Rosman, a lawyer 
at Zuckerman Spader LLP in Washing- 
ton. “It was an obligation that didn’t 
previously exist.” 

CIOs have had to contend with 
hackers, worms and viruses for years. 
And they’re getting a handle on new 
federal regulations that set additional 
security requirements. But even veter- 
an IT executives may be ignorant of 
some crucial aspects of security law, 
like the requirements coming out of 
the Zubulake case, lawyers say. 

These security measures, while im- 
portant legally, fail to attract adequate 
attention because they’re evolving 
standards, they’re mixed in with re- 
sponsibilities traditionally handled by 
other executives, or they’re simply 
downplayed by the executive suite. 

But CIOs need to make these new 
obligations a priority or live with in- 
creased risk of legal action. “There is 
some important work to be done to 





rr 


bring the CIO and the security officers 
up to speed,” says J. Beckwith Burr, a 
partner at Wilmer Cutler Pickering 
Hale and Dorr LLP, which has head- 
quarters in Boston and Washington. 

Here are five security concerns that 
might have eluded some CIOs: 


A THREAT OF LEGAL OR REGULA- 
TORY ACTION against your com- 
pany should spur you to adopt 
more-conservative data-reten- 
tion procedures. This is just as 
important as abiding by the rules 
for det storage that have emerged 
from the Zubulake case and better- 
known mandates, such as the Sarbanes- 
Oxley Act. “When you get wind that 
someone might be thinking of suing 
you, you have to immediately change 
your document destruction proce- 
dures so you don’t destroy anything 
that might be evidence,” says Stuart 
Meyer, a partner at Fenwick & West 
LLP in Mountain View, Calif. “You can 
be sanctioned to the tune of millions of 
dollars — and many companies have 
— because they didn’t suspend their 
normal procedures.” 


SECURITY THREATS FROM 
EMPLOYEES represent anoth- 
er often-overlooked risk that 
could land CIOs and compa- 
nies in legal trouble. Some 
employees act maliciously, 
but others are duped. For example, a 





federal report released earlier this year 
found that 35 out of 100 managers and 
employees of the Internal Revenue 
Service provided their network log-on 
names and temporarily changed their 
passwords when asked to do so by U.S. 


| Department of the Treasury inspectors 
| posing as computer technicians. 


Companies have an obligation to se- 


| cure their information, even from their 
| own employees, says Robert M. Weiss, a 
| partner at Neal, Gerber & Eisenberg 

| LLP in Chicago. For example, if an 

| unauthorized employee accessed an- 
other employee’s personnel file, officers | 
| and the company itself could be sued. 


CORPORATE RELATIONSHIPS 
WITH THIRD-PARTY SERVICE 
PROVIDERS also present 
potential legal problems, 
lawyers say. For example, 
most contracts today limit 


| the liability of outsourced providers to 
| the cost of the contract. 


security meltdown, contractually the 
vendor isn’t responsible,” Burr says. 
That means that regulators, sharehold- 
ers or corporate clients could go after 
the company — not the provider — if 


| there were a breach. 


“The question is how you meld your 
legal and procurement function with 
your IT function with your privacy op- 
erations and your security operations,” 
Burr says. “There’s a lot of communi- 
cation that needs to go on to make sure 
all the bases are being covered.” 


A Culture 
Orson iN 


“So if there isa | 
| years ago. 





CHANGES IN BEST PRACTICES 

have come quickly with new 

laws, regulatory require- 

ments and court decisions, 

and the implications could 

go well beyond initial expec- 
tations. Take, for example, federal laws 
such as the Gramm-Leach-Bliley Act, 
the Health Insurance Portability and 
Accountability Act and Sarbanes- 
Oxley. They have security mandates 
for specific segments of the economy: 
financial services, the health care in- 
dustry and public companies. 

But these and other laws set “stan- 
dards of care” that courts everywhere 
might rule apply to all companies — 
even those not specifically covered by 
the laws, Meyer says. 

“The general notion is if you act as 


a reasonable person would act, you 


shouldn't be held liable,” says Greg 
Lippetz, a partner at Boston-based 


| Bingham McCutchen LLP. “But ‘rea- 


sonable’ today is different than three 
The bar is rising.” 


yee POUBLE-EDGED AUDITS also 
pose a challenge. Most CIOs 
know that security standards 
are changing, and many use 
audits to find holes in their 
companies’ policies and pro- 
ontiinia But audits themselves can 


| cause legal trouble if companies don’t 
| follow up quickly on the results. 


“If you have knowledge of a security 
gap and you don’t correct it and some- 
thing happens, it’s hard to escape 
liability,” says David MacDonald, a 
New York-based partner at Kirkland 
& Ellis LLP. 

On the other hand, companies that 
fail to make reasonable efforts to find 
security gaps may also be liable. 

That’s why CIOs need to get crack- 
ing, lawyers say. They must educate 
other executives about the legal need 
to meet these new standards so they 
can get the money, time and staff they 
need to do the job. 

“The most effective way to address 
security within a company is to take a 
very practical approach where you get 
executive buy-in and the resources you 
need to educate folks, deploy the tech- 
nology, monitor it and reconstruct 
what happened if you have breaches,” 
says Karen L. Casser, a partner at Sym- 


| bus Law Group LLC in Washington. 


“That way, you put your company in a 
position to argue that you did your due 


diligence.” @ 53960 





Pratt is a Computerworld contributing 
writer in Waltham, Mass. Contact her at 
marykpratt@verizon.net. 
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TRUS aie ots) 
of the MIT Sloan 
Management Re- 
view, Nicholas G. 
Carr continues his 
controversial writ- 
ings about the fu- 
eM MMe ol sr- ty 
have been vilified 
PUR letra 
no one has called them boring. This 
time, he told Computerworld’s Kath- 
leen Melymuka that the corporate IT 
department is an idea whose time 
has almost gone. 


You call your article “The End of Corporate 
Computing.” Why? Up till now, it’s been 
assumed that companies have to own 
the basic assets involved in computing. 
I think we’re moving to a time when 
that assumption will be overturned 
and those assets will begin moving 
from within companies to more cen- 
tralized utility suppliers. 

It’s a shift similar to what we saw 
100 years ago, when all manufacturers 
maintained their own electric genera- 
tors to power machinery. Over 20 or 30 
years, they shut down those generators 
and began to buy electricity from utili- 
ties. Just as today we wouldn't talk in 
terms of corporate electricity genera- 
tion, I think tomorrow we won't talk in 
terms of corporate computing. 


There has been lots of discussion over the 
past few years about utility computing. 
What's different about your take on it? I try 
to look at the economics of business 
computing as opposed to the technol- 
ogy of utility computing itself. I argue 
that up till now, a lot of the utility com- 
puting discussion looked at isolated 


F CORPORATE IT 
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instances of hosted applications, like 
Salesforce.com or one company host- 
ing another’s Web sites. It’s easy to be- 
lieve this is a fragmented phenomenon 
that will have a bunch of companies 
providing a limited number of out- 
sourced services. 

I believe it’s a much bigger wave of 
change in that today’s entire model of 
business computing is puilt around 
fragmentation of basic assets — every- 
one having to buy what, in many cases, 
is similar equipment and software. All 
that stuff will ultimately be centralized 
outside companies, and that will lead 
to much greater efficiency that will 
translate into lower costs and greater 
reliability for users. 


Assuming you’re right, this is more of a grad- 
ual evolution than a “sky is falling” event, 
right? Absolutely. We’re not going to 
wake up tomorrow and get all our 
computing requirements through a 
socket in the wall. It will take a couple 
of decades for this to roll out. It’s a 
matter of utility suppliers slowly build- 
ing up enough scale and enough exper- 
tise that they can replace ever larger 

| internal data centers. 

It tends to start with smaller compa- 
nies that find it difficult to buy and 
maintain their own systems. Those are 
the first ones to move to a utility mod- 
| el. As the utility model gains greater 
| efficiency, it will get scale advantages 
over larger corporate IT functions. 


The utility model brings dependence on a 
single vendor, which reasonably worries IT 
| folks. How would you keep the utility honest? 
That’s a good question, because be- 
yond the interests of individual users, 
there’s a danger of too much of this 
very important infrastructure falling 
into the hands of too few companies. 
It’s critical that there continues to be 





| competition both at the level of the 
| utility and of component suppliers to 
the utility. Don’t think hardware and 
software companies will go away; 
they’ll just shift from supplying the 
user to supplying the utility company. 
So it’s critical at the highest level to 
ensure strong competition between all 
those parties. Eventually, as with elec- 
tricity, it may require the 
government moving in to 
ensure that there isn’t too 
much consolidation. 

At the individual company 
level, there are certain risks 
involved in consolidating 
your assets with one supplier, but also 
considerable gains. Ultimately, those 
advantages of getting rid of the respon- 
sibility for expensive, finicky assets 
will come to overwhelm fears of letting 
somebody else run this. 


to his ideas: 


Looking at the electricity analogy, electricity 
doesn’t involve the kind of security risks in- 
herent in data transfer. How does security fit 
into this picture? I think that ultimately 
centralizing control over a lot of the 
basic IT infrastructure will actually in- 
crease the level of security over the 
current highly fragmented and distrib- 
uted model. Where IT is more distrib- 
uted, it’s more vulnerable in many 
ways. One of the advantages of a utility 
model is that the entire success and 
fate of the utility hinges on its ability to 
maintain security. 

Having said that, there are certainly 
different security issues when you 
| have consolidation of data, and at a 
technology and policy level, it’s going 
to take some innovations and advances 
to get to the level of security necessary 
for really large-scale utilities to emerge. 
But over time, economics will drive 
those and it will happen. 


You say an outside supplier will take respon- 
sibility for all of a company’s IT requirements 
- from infrastructure and storage to applica- 
tions. Isn't that like expecting the power 
company to also supply your light bulbs, TV 
and vacuum cleaner? Not really. A key 
| difference [between electricity and IT] 
| is the number of layers of applications, 
and I don’t mean just application soft- 
ware. With electricity, you had genera- 
tion and uses that had to take place 
locally — like the vacuum. With IT, 
there’s the basic infrastructure, then 
a layer of application software that can 
increasingly be run remotely. Then how 
the outputs of that application software 
are used by companies — that’s the 
“vacuum” layer that will stay local. 
Companies will still have to figure 
out how to best use the information in 





DANGEROUS MINDS 


Nicholas Carr discusses the 
sometimes hostile responses 
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software applications and how to adapt 
processes and do all the stuff that you 
need to do today. The difference is that 
someone else can worry about all the 
underpinning. 


| In your vision, does anything recognizable as 


IT still exist? Under this model, what we 
now call an IT department is unlikely 
to continue to exist in its 
present form, but I think 
you'll still need people that 
combine deep technical 
knowledge with strong busi- 
ness and process knowledge, 
because there is still going 


| to be a need for that person who can 


translate everything you’re buying 
from outside providers and interface 


| that to your own processes. 


If you make the assumption that re- 
cently IT departments have begun to 
shift to more of a process and business 
focus, in some ways this will be a con- 


tinuation of that shift. @ 53976 
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A virtual roundtable of IT 
experts rebuts Carr’s argument. 
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Bob Metcalfe and Carr square 
off at the Premier 100 IT Leaders 
Conference on the question of 
whether IT really offers compa- 
nies a competitive advantage. 
MARCH 15, 2004 
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Turbulent Times 

Ashort interview with Carr about 
the continuing controversy over 
his article and subsequent book. 
MAY 17, 2004 
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The rnb de ta 


is foshtoek choo ire fay cts or 
traits used to describe the candidate. If 
an applicant is called “accurate,” “de- 
tailed” and “careful,” that could be a 
good sign, because those are positive 
indicators for certain types of jobs. On 
the other hand, referring to a person as 
“creative” or saying he “works fast” may 
send a completely different message. 
“If you are trying to build a team,” 
Aamodt suggests, “look for words [or 


web tcecandine oa tee 
think it's going to be positive. Aamodt 
says that of nearly 6,800 different refer- 
ence ratings he’s studied, 96% placed 


Temecula t-te ig 


Korn/Ferry International, 
NSC e ea em Ce 


_ Having recently decamped 
from the former Meta Group, 
where she spent 10 years 
providing counsel and advice 
to Fortune 500 Cl0s, 
CUM ME elsy Cet ay 
SUM Cass] CMR iE aes) 
going on at.the top of the IT 
Ure ONTO Maire 
her new role at executive 
recruitment firm Korn/Ferry. 
She spoke with contributing 
editor Jamié Eckle. 


Rise in job postings on 
Dice.com since the 
beginning of the year. 


What are companies telling you that 
they’re looking for in senior IT leaders 
these days? Have the must-have char- 
acteristics changed in recent years? 
The must-haves haven't changed. | have a 
tendency to be fairly cynical about this 
idea that the CIO has suddenly become a 
business leader, needs to be from the 
business, technology is secondary, etc. 
The reason | am cynical is that the job de- 
scription for most ClOs reads fairly close 
today to what it did two years ago. 

What is different, however, is which 
skills are at the top, which skills are being 
tested the hardest through the interview- 
ing process, and the percentage of clients 
actually hiring to the job spec. Clients 
want a multifaceted executive who has the 
business acumen to run a business unit 
whose products and services are technol- 
ogy-based. Communications skills, rela- 
tionship management skills and financial 
(read: value) analysis skills have moved to 
the top of the list. From an interviewing 
perspective, clients are looking for indica- 
tions of resiliency, incredibly crisp com- 
munications and passion. | believe this is 
happening for two reasons: 1) The CIO to- 
day is much more involved in maximizing 
the effectiveness of end-to-end integrated 
business processes. That means that the 
executive must be able to play cheer- 


' leader and chief negotiator across multi- 
; ple business units. And 2) CEOs are be- 
' ginning to recognize their own role, and 
- the role of their executive team, in the 

+ success of the technology investment. 


KAREN M. RUBENSTRUNK 
ON CIO HIRING... 


The ClO hiring pendulum 
seems to be swinging back 
ees 


Any difficulty in finding candidates who 
for? Yes, it is a seller’s market right now. If 
you think about it, a great CIO is a great 
CEO: an executive who is responsible for 
setting a compelling vision for the future 
while at the same time assuring that day- 
to-day operational excellence provides the 
opportunity to be in business in the future. 
You're talking about an executive who is an 
excellent communicator, both strategic and 
tactical, and, oh by the way, also has deep 
understanding for the power of technology. 
So if you look at it, it's as hard to find that 
perfect CEO as it is to find that perfect CIO. 
If you access our research on CEO and ClO 
profiles, you'll see that the profiles of the 
most successful CEOs and ClOs are quite 
similar — a great leader is a great leader. 
Now, on a more concrete note, we have 


had 50 CIO searches open up in one of our 


phrases] like ‘agreeable’ and ‘gets 
along with others. 

Aamodt presented his findings re- 
cently at the annual meeting of the So- 
ciety for Industrial and Organizational 


~ Mitch Betts 


verticals alone within the last 24 months. 
The demand is outstripping supply. As a re- 
sult, | have noticed a much greater willing- 
ness on behalf of CEOs, CFOs and COOs to 
be coached in how to construct the job so 
as to attract the right candidate. 


What's the level of CIO turnover these 
days? It's about the same as it has been. 
Again, having spent 10 years hip-deep in 
working with ClOs, | had a hard time be- 
lieving that C/O ever meant “career is 
over” or that the average tenure of ClOs 
was 24 months. | believe it is actually 
more stable than the press reports. How- 
ever, | also know from professional and 
personal contacts that many more ClOs 
are looking to change companies within 
the next year. | believe there is a growing 
sense of “been there, did it, ready to move 
on” as much as there is a growing discon- 
tent with the overall influence of the ClO 
within the executive team. @ 53907 
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Xilinx Taps Cooney 


Xilinx Inc., a San Jose-based 
maker of programmable logic 
software, has appointed KEVIN 
COONEY from its Dublin offices 
as corporate vice president and 
ClO. Cooney served previously 
as Xilinx senior director of IT and 
business development for Eu- 
rope, the Middle East and Africa. 
He will continue as a member of 
the board of directors at Xilinx 
Ireland and will run global IT 
operations from Xilinx’s Euro- 
pean headquarters in Dublin. 
Prior to joining Xilinx 10 years 
ago, Cooney served in a variety 
of executive positions at Digital 
Equipment Corp. 


U.S.1. Names CIO 


C. JEFF PAN as been appointed 
ClO and senior vice president for 
business transformation at U.S.I. 
Holdings Corp. in Briarcliff Manor, 
N.Y. Pan is responsible for trans- 
forming the company’s processes 
for IT, accounting and administra- 
tive services to a more efficient 
model. Pan joined U.S.I. in Febru- 
ary through the company’s acqui- 
sition of Summit Global Partners, 
where he had been president 
since 2003. He has also served in 
senior positions at California Fed- 
eral Bank, Ford Capital Ltd. and 
First Gibraltar Bank. 


Sadiq, Helm to Lead 
At Drugstore.com 


Drugstore.com Inc., a Bellevue, 
Wash.-based online provider of 
pharmacy products, has appoint- 
ed TALAT SADIQ CIO and JOHN 
HELM chief technology officer. 
Sadiq will oversee all aspects of 
technology planning, develop- 
ment and operations. Helm, who 
will report to Sadiq, will be re- 
sponsible for the overall IT archi- 
tecture and day-to-day technol- 
ogy operations. Most recently, 
Sadiq was vice president of 
strategic business development 
at iSpheres Corp. Helm was pre- 
viously head of architecture at 
Merrill Lynch & Co. and taught in 
the department of applied physics 
at Columbia University. 





Manage 


As a result, these companies 
are often unable to perform 
basic IT functions, such as 
building coherent business 
cases, assessing project risk 
and developing accurate 
capacity plans. 

How did this happen? The 
enormous expenses associat- 
ed with Y2k, and the huge 
losses induced by the dot- 
com bubble bursting, pro- 
duced more animosity than 
gratitude toward IT. Many IT 
organizations (and CIOs) lost 
significant credibility in the 
post-Y2k era. Management’s 
desire to cut back on IT was 
exacerbated by a struggling 
economy and falling profits. 
Consequently, most IT bud- . 
gets were cut severely and repeatedly. 
Virtually everything beyond mainte- 
nance for existing systems often got 
axed, leaving few resources for new 
development. 

To complicate matters further, the 
industry lost many experienced execu- 
tives. CIOs grew tired of the never- 
ending budget wars and constant at- 
tacks, and many (who could afford to) 
retired. Unfortunately, they took their 
expertise with them. The CIOs who re- 
placed them often lacked expertise in 
delivering new applications, since their 
experience was acquired in an era domi- 
nated by maintenance. 

For that reason, many IT organizations 
no longer understand how to prioritize 
projects effectively, establish cost ac- 
counting procedures or accurately 
estimate a new system’s production 
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ment Controls: 


Lost Art 


HE BASIC MANAGEMENT CONTROLS 
required to run an effective IT organiza- 
tion are quickly becoming a lost art. Many 
companies have lost touch with the funda- 
mentals of IT management. The industry 
originally learned these fundamentals during the 1970s 
and ’80s, but today there are large numbers of IT orga- 
nizations with surprisingly weak management controls. 


costs [QuickLink 49668]. 
For example, one client 
recently requested a “sanity 

check” on a $500 million 
plan to redevelop its legacy 
applications. The review 
revealed that the ongoing 
production costs for the 
new applications had been 
underestimated by roughly 
$40 million a year. The CFO 
postponed his presentation 
to the board of directors and 
sent the program team back 
to the drawing board, before 
the erroneous numbers be- 
came set in stone. Unfortu- 
nately, many CFOs don’t 
learn of such errors until 
they show up as significant 

, budget overruns, when it’s 

too late to reset expectations. 

Insufficient management controls also 
complicate outsourcing efforts. Without 
accurate business cases, you may make 
the wrong outsourcing decisions. And 
afterward, your ability to work well with 
your outsourcer will rely heavily on ar- 
eas such as capacity planning, specifica- 
tion review, change control, acceptance 
testing and cost accounting — basic 
management controls. Without these 
controls, you will have difficulty select- 
ing, managing and benefiting from your 
outsourcer. 

In order to upgrade your management 
controls, focus on basic blocking and 
tackling: 

® Adopt well-understood management prac- 
tices. Unfortunately, IT doesn’t yet have 
an equivalent of generally accepted ac- 
counting principles or a Financial Ac- 





counting Standards Board to establish 


industry standards. However, well- 
defined procedures for systems develop- 
ment, change control, problem manage- 
ment and so on are available from sources 
such as consulting and research firms. 
Some companies are starting to use the 
IT Infrastructure Library framework 
from the U.K., although it isn’t yet wide- 
ly used in the U.S. 

® Leverage existing expertise. Basic con- 
trols are well understood by “gray hairs” 


| in the industry. Get advice from experi- 


enced executives or outside experts to 
speed the process and avoid reinventing 
the wheel. 

@ Enlist internal support. Partner with in- 
ternal audit or accounting to help build 
the case for establishing strong internal 
management controls. Regulations such 
as the Sarbanes-Oxley Act, the USA Pa- 
triot Act, the Health Insurance Portabili- 
ty and Accountability Act and Basel II 
(regarding financial services) all demand 
strong controls to ensure compliance. 
Moreover, internal audits can often pro- 
vide valuable feedback regarding the 
quality of any existing controls. 

® Develop a rollout plan for implementing 
new controls. Don’t attempt to establish 
all the needed controls at once. In large 
corporations, this effort can easily re- 
quire years to finish. Break up your 
control improvement program into a 
series of interleaved projects. 

® Don’t give up. Although basic controls 
are necessary, they are often unpopular. 
You will probably face resistance from 
people who don’t like structure. Perse- 
vere! 

Basic management controls are crit- 
ical to successful IT management. 

They bring much-needed discipline to 
your organization and enable you to 
deliver products and services more 
effectively. 

The success of your IT organization 
depends largely on effective use of basic 
management controls. Refocus on the 
basics. @ 53959 
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BCCUSA, Inc. - South Portland 
ME needs Sr. Software Engin- 
eers having a Masters with min 
2 years or Bachelors with min 5 
years of progressive work exp. 
in C/C++ and Java based appli- 
cations using STL, SGML 
HTML, JavaScript, DTD, XML 

XSD, Oracle. DB2, Informix 
PL/SQL PVCS, Clearcase 
Clearquest, Netscape/iplanet 
web servers, IBM WAS/WSAD. 
UNIX and Windows. Competi: 
tive salary and benefits. M-F, 40 
hours/week. Please mail your 
resume to BCCUSA Inc., HR 
Dept, 650 Main Street Suite 201 

South Portland, ME - 04106. 


Aphelion Inc., seeking Systems 
Analysts to analyze, develop & 
migrate existing software solu- 
tions to .Net technology; devel- 
op & maintain web applications 
for membership management 
industry utilizing .Net technolo- 
gy, SQL Server & WISE soft- 
ware. Candidates must have a 
Bachelor's degree plus 1 year 
experience in job offered. Sub- 
mit resume to Aphelion Inc 
Attn: Manager-Product Develop- 
ment, 1100 NASA Pkwy, Ste 
606, Houston, TX 77058. Put job 
code DEV042005 on resume 


Software Anal./Dev.: Design, 
develop & implement desk- 
top/web based software for 
sales/acctg/bus. mgt. pro- 
grams. Req: M.S. deg 
Comp. Sci./Engg, or closely 
related field, w' 2 yrs. exp. in 
job offered or in the design & 
dev. of software for finan- 
cial/bus mgt. prog; 8a-5p, M- 
F. Resume to: Corp. HR, 
Systemtec, Inc., 246 Stone- 
ridge Dr., Ste. 301, Colum- 
bia, SC 29210; Job SD 


Computer Discoveries, Inc. in 
Lombard, IL seeks computer 
programmers to develop, create 
and modify computer applica- 
tions software or specialized util- 
ity programs. Analyze user 
needs, develop software solu- 
tions and design databases) 
within an application area. Must 
have Bachelors degree or equiv- 
alent in computer related field 
plus one year experience as a 
programmer/software engineer/ 
software developer using VB 
Crysta! Reports, MS-Access. 
Oracie and SQL server. Send 
resume to resume@cdiconsult 
ing.com. Must be authorized to 
work permanently in US. 


PeopleSoft Team Lead sought by 
Alta Colleges, Inc. to oversee de- 
sign and implementation of com- 
plex customizations to Student 
Administration, Enterprise Portal 
and CRM PeopleSoft Suites 
Position located in Denver, 
Colorado. Must have Master's' 
Degree or equivalent (Bachelor's 
Degree plus five years experi- 
ence) in computer science, com- 
puter engineering or related field 
Requirements include working 
knowledge of complex Realtime 
and Near Realtime integration 
processes and customization of 
PeopieSoft Applications Suites 
using Workflow automation tools 
Respond by resume to Michael 
Berrier, Alta Colleges, 2000 S. 
Colorado Bivd., #2-800, Denver, 
CO 80222 


Computer Discoveries, Inc. in 
Lombard, IL seeks computer 
software developer for analysis. 
design, development and testing 
of software and database man 
agement. Must have Bachelors 
degree or equivalent in comput 
er related field with at least 3 
years of experience as a soft 
ware engineer/programmer ana: 
lyst in healthcare, insurance 
retail, distribution or travel indus: 
try working in Windows environ 
ment using Java, JDBC, Oracle 
Struts 1.1, Web logic and XML 
Send resume to resume@cdi 
consulting.com. Must be autho 
rized to work permanently in US. 


GAVS_ Information Services 
seeks applicants for the position 
of Sales Engineer in Denver, CO 
to sell software products, en- 
hancements and upgrades to 
corporate clients. Requires 2 yrs 
in the job offered or 2 yrs of 
sales and marketing experience 
and 2 yrs of software develop- 
ment experience and working 
knowlege of firewalls-Cisco, PIX 
and Checkpoint on Unix, Unix 
Administration (Solaris, Linux) 
VOIP (Cisco Cali Manager, 
Unity) and VPN (Cisco and 
Linux). Respond by resume to 
Prakash Vasant, GAVS Informa- 
tion Services, 4155 E. Jewell 
Ave., Ste. 603, Denver, CO 
80222 


BCCUSA, Inc-South Portland 
ME needs experienced Pro- 
grammer Analyst having a 
Bachelors with min 2 years of 
progressive work exp. in Oracle 
9i/8i/8.x/7.x, Forms 9i/6i/5.0/4.5, 
SQL*Loader, Reports 9i/6i/3.0/ 
2.5, PL/SQL, Business Objects, 
Shell Scripts and Toad. Should 
be expert in tuning SQL queries 
using Explain plan, SQL*Trace 
and TKPROF utility. Competi- 
tive salary and benefits. M-F, 40 
hours/week. Please mail your 
resume to BCCUSA Inc., HR 
Dept, 650 Main Street Suite 
201, South Portland, ME- 
04106 


Sr. Software Eng’r (Oakland, 
CA)-Develop, create, & mod- 
ify Kaplan webapps & educ 
sftwre using C#, JavaScript, 
HTML, ASP, .NET & XML.MS 
in Comp Sci, Physics, Eng’g 
or simir, + some exp. req'd 
Sr. Database Admin (Oak- 
land, CA) - Modify dtbses & 
dtbse mgmnt sys using SQL 
Server, lIS, ASP.net, HTML, 
&Crystal Reports. MS _ in 
Comp Sci, Physics, Eng’g or 
simir, + some exp. req'd 
Res. to: Kaplan Inc. 888 7th 
Ave., NY, NY 10106 


J. Solanki Corporation, locat- 
ed in Gardena, CA, seeks a 
Software Engineer. The posi- 
tion requires a Bachelors 
Degree in Computer Science 
and 5 years progressive 
experience in Operations 
Analysis, Programming and 
Systems Integration. Fax 
resumes to Naresh Solanki, 
President at 310-324-9931 
or mail resumes to: J Solanki 
Corporation, 1012 W. Gar- 
dena Bivd., Gardena, CA 
90247, Attn: Naresh Solanki 


Computer Discoveries, Inc. in 
Lombard, IL seeks software 
developer to design and develop 
web based applications. Inte 
grate, deploy and troubleshoot 
application software. Create 
stored procedures prepare 
technical manuals and user 
guides. Must have Bachelors 
degree or equivalent in comput 
er science with at least 2 years 
experience in Windows NT/95; 
2000 based environments in 
cluding one year in IIS, SQL 
Server2000, Oracle, VB, Crystal 
Reports and DOS inciuding min 
imum six months experience in 
ASP.NET, ADO.NET and XML 
Send resume to resume@cdi 
consulting.com. Must be autho- 
rized to work permanently in US 


Sr. Programmer Analyst 
needed with Nortel, 
CISCO, Firewall, WAN; 
Design & install Nortel 
Passport, CISCO router, 
consult & advise clients. 
Bachelor degree & 4yrs 
exp. required. Send 
resumes to: Callcenter 
ASP, 2212 Wexford Dr. 
Ste B, Norcross, GA 
30071. 


CTI Systems Integrator, 
Telecommunications 
Reseller, Gainesville, FL - 
Integrate business phone 
systems with computer 
networks for clients. BS in 
Elec. Eng. or related field 
(or foreign equivalent) & 2 
years experience. 40 hrs/ 
wk, 8 AM - 5 PM, M - F 
Salary commensurate with 
exp. Resume to: Florida 
Phone Systems, Inc., 3499 
NW 97th Bivd., Ste. 11, 
Gainesville, FL 32606 


Sr. Rules Architect 
w/exp in design and 
development of web- 
based applications for 
mgmt of custom data 
to work in NY. Send 
resume to Barbara 
Owsley, SAIC, 8301 
Greensboro Dr., MS/ 
E-12-1, McLean, VA 
22102. Must Ref job 
code CLJ102174. 


Four Seasons General Merch- 
andise, located in Los Angeles, 
CA, seeks an IT Manager. The 
position requires a Bachelors 
degree in Computer and 
Information Science & ‘yr of 
exp. in Systems Evaluation 
Management of Financial Re- 
sources and Systems Man- 
agement. E-mail resumes to 
Morris Matloubian, Controller 
at itjobs@4sgm.com or mail to 
Four Seasons General Merch- 
andise, 2801 E. Vernon Ave., 
Los Angeles, CA 90058. Attn 
Morris Matloubian. 


ENGINEERING 
Packeteer® (NASDAQ: PKTR) 
is a leading provider of applica- 
traffic management sys- 
tems that enable businesses to 
gain visibility and control of net- 
worked applications, extend 
network resources and align 
application performance with 
business priorities. 
Packeteer is currently recruit- 
ing for the following positions 
SOFTWARE ENGINEERS 

* Policy Management 

* Design/Development 

*VPN/internet Security 
Development 

latform 

“Customer Engineer 

* Quality Assurance 

* Sustaining Engineer 

* User Experience Engineer 

“Network Management 
Software Development 
Engineer (5163) 

* Software Quality Assurance 
Engineer - Automation 
(5182) 

To apply, please send resume 
indicating position of interest 
and Ad Code (CompW0509). 
packeteer@ 
resumescanning.com 

Fax: 408-873-4499; or Mail 
Packeteer, Attn: Staffing, 10201 
N. DeAnza Bivd., Cupertino, 
CA 95014. EOE 

PACKETEER 
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having the latest 
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Oracle 


For example, the quarterly 
schedule for releasing security 
updates that Oracle adopted 
last fall is a sore spot for Arup 
Nanda, director of database 
engineering and operations at 
Starwood Hotels & Resorts 
Worldwide Inc. in White 
Plains, N-Y. The company runs 
Oracle Database 10g in a Real 
Application Clusters configu- 
ration, and Nanda said large 
software patch kits can be 
challenging to install. He 
would rather be sent patches 
as they become available. 

Thompson said users can, 
in fact, access patches them- 
selves from MetaLink when- 
ever they want, though only 
quarterly patches are automat- 
ically sent to users. 

Other users said they prefer 
the regular patch distribu- 
tions, which include best prac- 
tices information and are 
more standardized than one- 
offs, said Ari Kaplan, incoming 
president of the IOUG and 
president of Expand Beyond 
Corp., a wireless management 
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Oracle User Groups Unite on Conference Plans 


THE 10UG and two of Oracle's 
other user groups said last week 
that they're banding together to 
hold a combined annual confer- 
ence starting next year. 

In a similar announcement, 
Oracie rival SAP AG and its inde- 
pendent user group for the Amer- 
icas region said they plan to hold 
their U.S. conferences back to 
back in the same location next 
spring. 

The database-oriented IOUG 
is teaming up with the Atlanta- 
based Oracle Applications Users 
Group (OAUG) and the Lexing- 
ton, Ky.-based Quest Internation- 
al Users Group, which is made 
up of the J.D. Edwards & Co. 
application users that Oracle 
inherited when it purchased 


software vendor in Chicago. 
Thompson, who delivered a 
keynote at the conference, had 
served as CIO at PeopleSoft 
Inc. until Oracle acquired it in 
January [QuickLink 51831]. 
Responding to customer de- 
mand, Oracle will now sup- 
port each release of its data- 


PeopleSoft Inc. earlier this year. 

The initial combined event, 
dubbed Collaborate 06, is sched- 
uled to be held next April in 
Nashville and will include educa- 
tional sessions and keynote 
speeches by Oracle employees, 
according to a statement issued 
by the three user groups. 

Incoming IOUG President 
Ari Kaplan said that each of the 
user groups will manage its own 
specific set of sessions. For in- 
stance, the IOUG will handle the 
database track, said Kaplan. 

But while the groups will each 
focus on their core technologies, 
attendees will also be able to dis- 
cuss common issues, said John 
Matelski, deputy CIO for the city 
of Orlando and executive vice 


base and Oracle Application 
Server for five years, starting 
with Version 9.2 of the data- 
base and Version 10.1.2 of the 
application server, Thompson 
said. Oracle previously pro- 
vided three years of service. 
Thompson said the new 
MetaLink content has been 


president of Quest. He added 
that the conference will give the 
user groups a chance to “begin 
working toward a unified voice 
on topics of interest.” 

Mateiski said the user groups 
will continue to hold separate re- 
gional meetings but will make the 
combined conference their only 
global event. “There are clearly 
economies of scale to be gained 
for the user groups and Oracle by 
consolidating the [existing] con- 
ferences,” he noted. 

But Steven Hughes, the 
OAUG's executive director, said 
the decision to hold a single con- 
ference was more about the 
breadth of information that could 
be offered to users than any fi- 
nancial considerations. 


available since January. The 
offering now includes live 
product demonstrations, hun- 
dreds of tips for users and an 
enhanced search engine to 
help direct customers looking 
for specific information or 
work-arounds. 

Since late last year, Oracle 





Smaller Arrays, Open-source 
Cut IT Costs at Ameritrade 


BY LUCAS MEARIAN 
Ameritrade Holding Corp. CIO 
Asiff Hirji spoke with Computer- 
world last week about the com- 
pany’s consolidation with 
Datek Online Holdings and its 
efforts to slash IT costs by re- 
placing high-end storage arrays 
with midrange equipment and 
using open-source technologies. 


What are your greatest 
challenges these days? 
One, I’m trying to cre- 
ate additional function- 
ality that takes com- 
plexity out of trading. 
Second, some of the 
vendors we work with 
simply don’t get where 
they need to be ona 
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| cost/performance scale. 


So we're throwing them out 
and replacing them with peo- 
ple who get it. Third, I’m try- 
ing to cope with the volume 
of demand. That’s the con- 
stant battle. 


You say some vendors aren't get- 
ting where they need to be on the 
cost vs. performance scale. How 
is that different today from 
two or three years ago? 
My personal belief is 
something like 90% of 
all databases out there 
right now could be re- 
placed by open-source 
because most of the 
database applications 
that exist are very sim- 





ple databases with a thin-layer 
application on top that says, 
“Do a query, or do an insert.” 
You don’t need the hundreds 
of thousands or millions of 
dollars in an Oracle imple- 
mentation or Siebel or anyone 
else to do a lot of that stuff. 

We've [also] done things 
like replace the highest-tier- 
type storage systems with more 
midtier storage systems, be- 
cause the performance in the 
midtier storage systems has 
come to the point where, for 
our needs, they do what we 
need them to do. We don’t need 
to spend the additional money 
on the high-end systems. 


How much money have you saved 
by replacing the high-end arrays? 
I can’t really give you a num- 
ber, but on a systems-by-sys- 
tems basis, the new systems 





cost less than half what the 
old systems have. 


The Datek acquisition took place 
two years ago. How has that con- 
version effort gone? It’s been 
done for a year and a half. We 
managed to keep something 
lixe 965 or 97% of the Datek 
client base. We basically 
copied the experience they 
had on Datek onto our plat- 
forms by playing Lego with 
some of the systems and inte- 
grating a lot of the Datek tech- 
nology onto our platform. 


Where did most of the cost sav- 
ings come from? Whacking out 
tons of cost from the infra- 
structure. Every dollar I invest 
in storage is a dollar I could 
have used in developing the 
next cool [trading] tool. 

@ 54214 
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SAP said the U.S. version of 
its Sapphire show will remain 
separate from the annual confer- 
ence held by the Americas’ SAP 
Users’ Group. But the two events 
will be held during the same 
week next May in Orlando. 

SAP is studying whether it 
should also collocate Sapphire 
and user group conferences in 
other parts of the world, said 
William Wohl, a spokesman at 
SAP America Inc. in Newtown 
Square, Pa. 

It may not make sense in re- 
gions such as Europe, “where 
there’s more of a country-by- 
country focus,” Wohl said. “But 
it's something we're certainly 
willing to consider if there's de- 
mand.” 

- Marc L. Songini, with John 
Blau of the IDG News Service 


has also been offering Web 
collaboration technology to 


| help customers directly link 
| up with a technician to trou- 
| bleshoot problems, Thompson 


said. The sessions allow Ora- 
cle technicians to more quick- 
ly diagnose problems, speed- 
ing up resolution times by 


| 30%, or about 20 minutes per 


diagnostic session. 

Oracle expects the im- 
proved support tools will help 
users cut administrative costs 
and thus ease its reputation as 
a costly database supplier, said 
Rebecca Wetteman, an analyst 
at Wellesley, Mass.-based Nu- 
cleus Research Inc. The im- 
proved support should help 
users get by with fewer ad- 
ministrators, she said. 

John Matelski, deputy CIO 
for the city of Orlando, had 
expressed concern about sup- 
port when the Oracle-People- 
soft deal closed. But he said 
Oracle is “clearly making sig- 
nificant strides to continue to 
support, sustain and educate 
their customers.” The city 
runs financial applications 
that were developed by J.D. 
Edwards & Co., which Oracle 
acquired when it bought 
PeopleSoft. @ 54246 
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Blackout 


HERE WAS IT? On Saturday, April 30, the Penta- 

gon released an unclassified version of its report 

on a March 4 incident in Baghdad, in which an 

Italian intelligence agent, Nicola Calipari, was 

shot and killed by U.S. troops at a checkpoint. 
The unclassified document was an Adobe Acrobat file, with sections 
containing classified information blacked out. But for anyone who 
downloaded the document, discovering what was behind that elec- 
tronic black ink was trivial. If fact, it was practically unavoidable. 
And by Monday, that classified information was everywhere. 


So where in blazes was IT? 


Protecting confidential data in electronic 
form is certainly part of IT’s job. The software 
that military censors used to black out those 
documents came from IT. IT should have made 
sure everything worked as planned. Instead, 
sensitive information such as military rules of 
engagement became public knowledge. 

Let’s be clear: Breaking through the black ink 
over that classified text didn’t require hacking 
through encryption or using some special tool. 
If a reporter simply opened the file using the 
standard version of Acrobat Reader, then cut 
and pasted the text into any word processor, the 
blacked-out text would reappear. 

And reporters don’t like retyping if they can 
simply cut and paste. Besides, cutting and past- 
ing guaranteed that the report would be quoted 
accurately. So of course many of them cut and 
pasted and saw the classified information; 
they’d have had to work hard to avoid it. 

And so did anyone else — friend or foe — 
who downloaded the report. 

So where was IT? Why didn’t the military 
censors have the right tools to remove that 
classified information, not just 
cover it up? Why wasn’t a standard 
process followed for confirming 
that the classified information was 
removed? Those are questions the 
Pentagon is asking now. 

They’re questions people in cor- 
porate IT should be asking, too. 

How often do people in your 
company send out sensitive infor- 
mation, thinking it’s not there be- 
cause they can’t see it? Every time 
they e-mail a Word document. Or 
an Excel spreadsheet, or Power- 

Point presentation, or documents in 





any of a variety of other formats. Those users 
may have deleted that information from the vis- 
ible document, but it might still be in the file. 

It can’t always be made visible with a simple 
cut and paste. But it’s there. And with a little 
effort by an unfriendly party, it can be seen. 

Maybe you knew that. But your users proba- 
bly don’t. So your company’s salesmen, market- 
ing people, lawyers and public relations reps 
may be revealing sales quotes, product plans, 
legal strategies and other information they 
don’t intend to. Executives may be giving away 
business strategy or closely held financial data. 

Where is IT in all this? Protecting this stuff is 
what we do. We should be front and center, 
helping users to avoid leaking secrets. Sure, we 
also have to deal with worms and hackers and 
other threats. But we can’t let users fall through 
security cracks — especially when that’s exact- 
ly what users are trying hard not to do. 

So talk to your users, especially the ones who 
send documents outside the organization. Ex- 
plain the problem. Suggest work-arounds, such 
as converting documents to a different format 

and then back to the one they pre- 
fer. Listen to their objections. Work 
with them to find a practical way 
they can use to protect their confi- 
dential information. 

This time, IT isn’t the users’ ene- 
my, enforcing security rules they 
don’t like. We can be their ally, 
helping users protect information 
they don’t want to make public. 

For once, we can stand shoulder 
to shoulder with users on the front 
lines of information security. 

Which is right where IT should 
be. @ 54204 
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1. IMs stockroom for ’01 merlot. 

2. Conferencing with design partners. 
3. Orders from vendor, wirelessly. 

4. Driver receives last-minute order. 
5. Delivers orders quickly, accurately. 


Middleware for the on demand world. Learn more at ibm.cem/middieware/workplace (y) oEman BUSINESS 
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Middleware is Everywhere. 
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MIDDLEWARE IS IBM SOFTWARE. The powerful DB2 
Information Managemer fare Family. With industry 
1. Takes virtual tour of vacation spot. I C s the most comy 
2. Books flight with partner airline. information t 
3. Dispatches service automatically. standards, | 
4. Analyzes schedule data dynamically. 
5. Business results reach new heights. 
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